LDom Admin guide

Submit comments about th

Logical Domains (LDoms) 1.0Administration Guide

Part No. 819-6428-11May 2007, Revision B

Sun Microsystems, Inc.www.sun.com

is document at: http://www.sun.com/hwdocs/feedback

http://www.sun.com/hwdocs/feedback

Copyright © 2007 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A. All rights reserved.

Sun Microsystems, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. Inparticular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed athttp://www.sun.com/patents and one or more additional patents or pending patent applications in the U.S. and in other countries.

U.S. Government Rights - Commercial software. Government users are subject to the Sun Microsystems, Inc. standard license agreement andapplicable provisions of the FAR and its supplements.

Parts of the product may be derived from Berkeley BSD systems, licensed from the University of California. UNIX is a registered trademark inthe U.S. and in other countries, exclusively licensed through X/Open Company, Ltd.

Sun, Sun Microsystems, the Sun logo, Java, Solaris, JumpStart, OpenBoot, Sun Fire, Netra, SunSolve, Sun BluePrints, Sun Blade, Sun Ultra, andSunVTS are service marks, trademarks, or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries.

All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and othercountries. Products bearing SPARC trademarks are based upon architecture developed by Sun Microsystems, Inc.

The Adobe PostScript logo is a trademark of Adobe Systems, Incorporated.

Products covered by and information contained in this service manual are controlled by U.S. Export Control laws and may be subject to theexport or import laws in other countries. Nuclear, missile, chemical biological weapons or nuclear maritime end uses or end users, whetherdirect or indirect, are strictly prohibited. Export or reexport to countries subject to U.S. embargo or to entities identified on U.S. export exclusionlists, including, but not limited to, the denied persons and specially designated nationals lists is strictly prohibited.

DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES,INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.

Copyright © 2007 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, Etats-Unis. Tous droits réservés.

Sun Microsystems, Inc. détient les droits de propriété intellectuels relatifs à la technologie incorporée dans le produit qui est décrit dans cedocument. En particulier, et ce sans limitation, ces droits de propriété intellectuelle peuvent inclure un ou plus des brevets américains listés àl’adresse http://www.sun.com/patents et un ou les brevets supplémentaires ou les applications de brevet en attente aux Etats - Unis et dans lesautres pays.

Des parties de ce produit pourront être dérivées des systèmes Berkeley BSD licenciés par l’Université de Californie. UNIX est une marquedéposée aux Etats-Unis et dans d’autres pays et licenciée exclusivement par X/Open Company, Ltd.

Sun, Sun Microsystems, le logo Sun, Java, Solaris, JumpStart, OpenBoot, Sun Fire, Netra, SunSolve, Sun BluePrints, Sun Blade, Sun Ultra, etSunVTS sont des marques de fabrique ou des marques déposées de Sun Microsystems, Inc. aux Etats-Unis et dans d’autres pays.

Toutes les marques SPARC sont utilisées sous licence et sont des marques de fabrique ou des marques déposées de SPARC International, Inc.aux Etats-Unis et dans d’autres pays. Les produits portant les marques SPARC sont basés sur une architecture développée par SunMicrosystems, Inc.

Le logo Adobe PostScript est une marque déposée de Adobe Systems, Incorporated.

Les produits qui font l’objet de ce manuel d’entretien et les informations qu’il contient sont regis par la legislation americaine en matiere decontrole des exportations et peuvent etre soumis au droit d’autres pays dans le domaine des exportations et importations. Les utilisationsfinales, ou utilisateurs finaux, pour des armes nucleaires, des missiles, des armes biologiques et chimiques ou du nucleaire maritime,directement ou indirectement, sont strictement interdites. Les exportations ou reexportations vers des pays sous embargo des Etats-Unis, ouvers des entites figurant sur les listes d’exclusion d’exportation americaines, y compris, mais de maniere non exclusive, la liste de personnes quifont objet d’un ordre de ne pas participer, d’une facon directe ou indirecte, aux exportations des produits ou des services qui sont regi par lalegislation americaine en matiere de controle des exportations et la liste de ressortissants specifiquement designes, sont rigoureusementinterdites.

LA DOCUMENTATION EST FOURNIE "EN L’ETAT" ET TOUTES AUTRES CONDITIONS, DECLARATIONS ET GARANTIES EXPRESSESOU TACITES SONT FORMELLEMENT EXCLUES, DANS LA MESURE AUTORISEE PAR LA LOI APPLICABLE, Y COMPRIS NOTAMMENTTOUTE GARANTIE IMPLICITE RELATIVE A LA QUALITE

http://www.sun.com/patents

Contents

Preface xv

1. Overview of the Logical Domains Software 1

Hypervisor and Logical Domains 1

Logical Domains Manager 3

Roles for Logical Domains 3

Command-Line Interface 4

Virtual I/O 5

Virtual Network 5

Virtual Storage 5

Virtual Consoles 6

Dynamic Reconfiguration 6

Delayed Reconfiguration 6

Persistent Configurations 7

2. Security Considerations 9

Solaris Security Toolkit and the Logical Domains Manager 10

Hardening 10

Authorization 12

Auditing 13

iii

Compliance 13

3. Installing and Enabling Software 15

Freshly Installing Software on the Control Domain 15

▼ To Install the Solaris OS 16

▼ To Upgrade System Firmware 17

▼ To Upgrade System Firmware Without an FTP Server 18

▼ To Downgrade System Firmware 19

Downloading Logical Domains Manager and Solaris Security Toolkit 19

▼ To Download the Logical Domains Manager and Solaris SecurityToolkit 19

Installing Logical Domains Manager and Solaris Security Toolkit 20

Using the Installation Script to Install the Logical Domains Manager 1.0 andSolaris Security Toolkit 4.2 Software 20

▼ To Install Using the install-ldm Script With No Options 21

▼ To Install Using the install-ldm Script With the -d Option 24

▼ To Install Using the install-ldm Script With the -d none Option 25

Using JumpStart to Install the Logical Domains Manager 1.0 and SolarisSecurity Toolkit 4.2 Software 26

▼ To Set Up a JumpStart Server 26

▼ To Install Using JumpStart Software 27

Installing Logical Domains Manager and Solaris Security Toolkit SoftwareManually 29

▼ To Download and Install the Logical Domains Manager (LDoms) 1.0Software Manually 29

▼ (Optional) To Download and Install the Solaris Security Toolkit 4.2Software Manually 29

▼ (Optional) To Harden the Control Domain Manually 30

▼ To Validate Hardening 31

▼ To Undo Hardening 31

Enabling the Logical Domains Manager Daemon 32

iv Logical Domains (LDoms) Manager 1.0 Administration Guide • May 2007

▼ To Enable the Logical Domains Manager Daemon 32

Creating Authorization and Profiles and Assigning Roles for User Accounts 33

Managing User Authorizations 33

▼ To Add an Authorization for a User 33

▼ To Delete All Authorizations for a User 34

Managing User Profiles 34

▼ To Add a Profile for a User 34

▼ To Delete All Profiles for a User 34

Assigning Roles to Users 35

▼ To Create a Role and Assign the Role to a User 35

4. Setting Up Services and Logical Domains 37

Creating Default Services 37

▼ To Create Default Services 38

Initial Configuration of the Control Domain 40

▼ To Set Up the Control Domain 40

Rebooting to Use Logical Domains 42

▼ To Reboot to Use Logical Domains 42

Enabling Networking Between the Control/Service Domain and OtherDomains 42

▼ To Configure the Virtual Switch as the Primary Interface 43

Enabling the Virtual Network Terminal Server Daemon 44

▼ To Enable the Virtual Network Terminal Server Daemon 44

Creating and Starting a Guest Domain 45

▼ To Create and Start a Guest Domain 45

JumpStarting a Guest Domain 49

5. Other Information and Tasks 51

Stopping, Unbinding, and Deleting a Guest Logical Domain 52

▼ To Stop, Unbind, and Remove a Guest Domain 52

Contents v

Assigning MAC Addresses 53

CPU and Memory Address Mapping 53

CPU Mapping 53

▼ To Determine the CPU Number 53

Memory Mapping 54

▼ To Determine the Real Memory Address 54

Example 54

Configuring Split PCI Express Bus to Use Multiple Logical Domains 57

▼ To Create a Split PCI Configuration 57

Enabling the I/O MMU Bypass Mode on a PCI Bus 60

Operating the Solaris OS With Logical Domains 62

After a Solaris OS Shutdown 62

After a Solaris OS Break Key Sequence (L1-A) 62

After Halting or Rebooting the Primary Domain 63

Some format(1M) Command Options Do Not Work With Virtual Disks 63

Moving a Logical Domain From One Server to Another 64

Using LDoms With ALOM CMT 65

▼ To Reset the Logical Domain Configuration to the Default or AnotherConfiguration 65

Accessing the ldm(1M) Man Page 66

▼ To Access the ldm(1M) Man Page 66

Restrictions on Entering Names in the CLI 66

File Names (file) and Variable Names (var_name) 66

Virtual Disk Server file|device and Virtual Switch device Names 67

All Other Names 67

Enabling and Using BSM Auditing 67

▼ To Use the enable-bsm.fin Finish Script 68

▼ To Use the Solaris OS bsmconv(1M) Command 68

▼ To Verify that BSM Auditing is Enabled 69

vi Logical Domains (LDoms) Manager 1.0 Administration Guide • May 2007

▼ To Disable Auditing 69

▼ To Print Audit Output 69

▼ To Rotate Audit Logs 70

Using ldm list Subcommands 70

Syntax Usage for the ldm Subcommands 70

▼ To Show Syntax Usage for ldm Subcommands 70

Flag Definitions in List Output 73

Examples of Various Lists 73

▼ To Show Software Versions 73

▼ To Generate a Short List 73

▼ To Generate a Long List 74

▼ To Generate a Parseable, Machine-Readable List 75

▼ To Show the Status of a Domain 76

▼ To List a Variable 76

▼ To List Bindings 76

▼ To List Configurations 77

▼ To List Devices 78

▼ To List Services 80

Listing Constraints 80

▼ To List Constraints for All Domains 80

▼ To List Constraints in XML Format 81

▼ To List Constraints in a Machine-Readable Format 82

Using Console Groups 83

▼ To Use Console Groups 83

Configuring Virtual Switch and Service Domain for NAT and Routing 84

▼ To Set Up the Virtual Switch to Provide External Connectivity toDomains 85

Using ZFS With Virtual Disks 85

Creating a Virtual Disk on Top of a ZFS Volume 86

Contents vii

▼ To Create a Virtual Disk on Top of a ZFS Volume 86

Using ZFS Over a Virtual Disk 87

▼ To Use ZFS Over a Virtual Disk 88

Using ZFS for Boot Disks 89

▼ To Use ZFS for Boot Disks 89

Using Volume Managers in a Logical Domains Environment 91

Using Virtual Disks on Top of Volume Managers 91

Note on Using Virtual Disks on Top of SVM 93

Note on Using Virtual Disks When VxVM Is Installed 93

Using Volume Managers on Top of Virtual Disks 94

Using ZFS on Top of Virtual Disks 94

Using SVM on Top of Virtual Disks 94

Using VxVM on Top of Virtual Disks 95

Configuring IPMP in a Logical Domains Environment 95

Configuring Virtual Network Devices into an IPMP Group in a LogicalDomain 95

Configuring and Using IPMP in the Service Domain 97

A. Reference Section for the ldm(1M) Command 99

Glossary 127

viii Logical Domains (LDoms) Manager 1.0 Administration Guide • May 2007

Figures

FIGURE 1-1 Hypervisor Supporting Two Logical Domains 2

FIGURE 5-1 Two Virtual Networks Connected to Separate Virtual Switch Instances 96

FIGURE 5-2 Each Virtual Network Device Connected to Different Service Domains 96

FIGURE 5-3 Two Network Interfaces Configured as Part of IPMP Group 97

ix

x Logical Domains (LDoms) Administration Guide • May 2007

Tables

TABLE 1-1 Logical Domain Roles 3

TABLE 2-1 ldm Subcommands and User Authorizations 12

TABLE 5-1 Expected Behavior of Halting or Rebooting the Primary Domain 63

xi

xii Logical Domains (LDoms) 1.0 Administration Guide • May 2007

Code Samples

CODE EXAMPLE 3-1 Directory Structure for Downloaded Logical Domains 1.0 Software 19

CODE EXAMPLE 3-2 Output From Hardened Solaris Configuration for LDoms 22

CODE EXAMPLE 3-3 Output From Choosing Customized Configuration Profile 23

CODE EXAMPLE 3-4 Output From Successful Run of the install-ldm -d Script 24

CODE EXAMPLE 3-5 Output From Successful Run of the install-ldm -d none Script 26

CODE EXAMPLE 5-1 Long List of Logical Domain Configuration 55

CODE EXAMPLE 5-2 Syntax Usage for All ldm Subcommands 70

CODE EXAMPLE 5-3 Software Versions Installed 73

CODE EXAMPLE 5-4 Short List for All Domains 74

CODE EXAMPLE 5-5 Long List for All Domains 74

CODE EXAMPLE 5-6 Machine-Readable List 75

CODE EXAMPLE 5-7 Guest Domain Status 76

CODE EXAMPLE 5-8 Variable List for a Domain 76

CODE EXAMPLE 5-9 Bindings List for a Domain 76

CODE EXAMPLE 5-10 Configurations List 77

CODE EXAMPLE 5-11 List of All Server Resources 78

CODE EXAMPLE 5-12 Services List 80

CODE EXAMPLE 5-13 Constraints List for All Domains 80

CODE EXAMPLE 5-14 Constraints for a Domain in XML Format 81

CODE EXAMPLE 5-15 Constraints for All Domains in a Machine-Readable Format 82

xiii

xiv Logical Domains (LDoms) Manager 1.0 Administration Guide • May 2007

Preface

The Logical Domains (LDoms) 1.0 Administration Guide provides detailed informationand procedures that describe the overview, security considerations, installation,configuration, modification, and execution of common tasks for the Logical DomainsManager 1.0 software on Sun Fire™ and SPARC® Enterprise T1000 and T2000Servers, Netra™ T2000 Servers, Netra CP3060 Blades, and Sun Blade™ T6300 ServerModules. This guide is intended for the system administrators on these servers whohave a working knowledge of UNIX® systems and the Solaris™ Operating System(Solaris OS).

Before You Read This DocumentIf you do not have a working knowledge of UNIX commands and procedures andyour Solaris Operating System, read the Solaris OS user and system administratordocumentation provided with your system hardware, and consider UNIX systemadministration training.

How This Book Is OrganizedThis guide contains the following information:

Chapter 1 provides an overview of the Logical Domains Manager software.

Chapter 2 discusses the Solaris™ Security Toolkit, and how it can provide securityfor the Solaris OS in logical domains.

xv

Chapter 3 provides detailed procedures for installing and enabling Logical DomainsManager software.

Chapter 4 provides detailed procedures for setting up services and logical domains.

Chapter 5 provides other information and procedures for executing common tasks inusing Logical Domain Manager software to manage logical domains.

Appendix A provides the reference information, man page, for the Logical DomainManager, ldm(1M).

Glossary is a list of LDoms-specific abbreviations, acronyms, and terms and theirdefinitions.

Using UNIX CommandsThis document might not contain information on basic UNIX commands andprocedures such as shutting down the system, booting the system, and configuringdevices. Refer to the following for this information:

■ Software documentation that you received with your system

■ Solaris Operating System documentation, which is at

http://docs.sun.com

xvi Logical Domains (LDoms) 1.0 Administration Guide • May 2007

http://docs.sun.com

Shell Prompts

Typographic Conventions

Shell Prompt

C shell machine-name%

C shell superuser machine-name#

Bourne shell and Korn shell $

Bourne shell and Korn shell superuser #

Typeface*

* The settings on your browser might differ from these settings.

Meaning Examples

AaBbCc123 The names of commands, files,and directories; on-screencomputer output

Edit your .login file.Use ls -a to list all files.% You have mail.

AaBbCc123 What you type, whencontrasted with on-screencomputer output

% su

Password:

AaBbCc123 Book titles, new words or terms,words to be emphasized.Replace command-linevariables with real names orvalues.

Read Chapter 6 in the User’s Guide.These are called class options.To delete a file, type rm filename.

Preface xvii

Related DocumentationThe Logical Domains (LDoms) 1.0 Administration Guide and Release Notes are availableat:

http://www.sun.com/products-n-solutions/hardware/docs/Software/enterprise_computing/systems_management/ldoms/ldoms1_0/index.html

The Beginners Guide to LDoms: Understanding and Deploying Logical Domains Softwarecan be found at the Sun BluePrints™ site at:

http://www.sun.com/blueprints/0207/820-0832.html

You can find documents relating to your server or your Solaris OS at:

http://www.sun.com/documentation/

Type the name of your server or your Solaris OS in the Search box to find thedocuments you need.

Application Title Part Number Format Location

Release notes Logical Domains (LDoms) 1.0Release Notes

819-6429-10 HTMLPDF

Online

Solaris man pages forLDoms

Solaris 10 Reference ManualCollection:• drd(1M) man page• vntsd(1M) man page

N/A HTMLPDF

Online

LDoms man page ldm(1M) man page N/A SGML Sun SoftwareDownload site withLDoms code

Basics for LogicalDomains software

Beginners Guide to LDoms:Understanding and DeployingLogical Domains Software

820-0832 PDF Online

Solaris OS includinginstallation, usingJumpStart™, and usingthe Service ManagementFacility (SMF)

Solaris 10 Collection N/A HTMLPDF

Online

Security Solaris Security Toolkit 4.2Administration Guide

819-1402-10 HTMLPDF

Online

Security Solaris Security Toolkit 4.2 ReferenceManual

819-1503-10 HTMLPDF

Online

xviii Logical Domains (LDoms) 1.0 Administration Guide • May 2007

http://www.sun.com/blueprints/0207/820-0832.html





Security Solaris Security Toolkit 4.2 ReleaseNotes

819-1504-10 HTMLPDF

Online

Security Solaris Security Toolkit 4.2 Man PageGuide

819-1505-10 HTMLPDF

Online

Sun Management Centercompatible with LogicalDomains Manager 1.0supported servers

Sun Management Center 3.6 Version6Add-On Software Release Notes:For Sun Fire, Sun Blade, Netra, andSun Ultra™ Systems

820-1041-10 PDF Online

SunVTS™ SunVTS 6.3 User’s Guide 820-0080-10 HTMLPDF

Online

ALOM CMT compatiblewith Logical DomainsManager 1.0 and SunFire and SPARCEnterprise T1000 andT2000 Servers

Advanced Lights Out Management(ALOM) CMT v1.3 Guide

819-7981-11 HTMLPDF

Online

Sun™ Explorer 5.7 DataCollector

Sun Explorer User’s Guide HTMLPDF

Online

Sun Fire and SPARCEnterprise Sun FireT1000 Servers

Sun Fire and SPARC EnterpriseT1000 Server Administration Guide

HTMLPDF

Online

Sun Fire and SPARCEnterprise Sun FireT2000 Servers

Sun Fire and SPARC EnterpriseT2000 Server Administration Guide

HTMLPDF

Online

Netra T2000 Servers Netra T2000 Server AdministrationGuide

819-5837-10 PDF Online

Netra CP3060 Blades Netra CP3060 Board Product Notes 819-4966-12 PDF Online

Sun Blade T6300 ServerModules

Sun Blade T6300 Server ModuleAdministration GuideSun Blade T6300 Server ModuleInstallation GuideSun Blade T6300 Server ModuleProduct Notes

820-0277-10

820-0275-10

820--0278-10

PDF Online

Application Title Part Number Format Location

Preface xix

Documentation, Support, and Training

Third-Party Web SitesSun is not responsible for the availability of third-party web sites mentioned in thisdocument. Sun does not endorse and is not responsible or liable for any content,advertising, products, or other materials that are available on or through such sitesor resources. Sun will not be responsible or liable for any actual or alleged damageor loss caused by or in connection width the use of or reliance on any such content,goods, or services that are available on or through such sites or resources.

Sun Welcomes Your CommentsSun is interested in improving its documentation and welcomes your comments andsuggestions. You can submit your comments by going to:


Please include the title and part number of your document with your feedback:

Logical Domains (LDoms) 1.0 Administration Guide, part number 819-6428-11

Sun Function URL

Documentation http://www.sun.com/documentation/

Support http://www.sun.com/support

Training http://www.sun.com/training/

xx Logical Domains (LDoms) 1.0 Administration Guide • May 2007


http://www.sun.com/support


http://www.sun.com/training/

CHAPTER 1

Overview of the Logical DomainsSoftware

This chapter provides an overview of the Logical Domains software. All of theSolaris OS functionality necessary to use Sun’s Logical Domains technology is in theSolaris 10 11/06 release. However, system firmware and the Logical DomainsManager are also required to use logical domains. Refer to “Required andRecommended Software” in the Logical Domains (LDoms) 1.0 Release Notes for specificdetails.

■ “Hypervisor and Logical Domains” on page 1■ “Logical Domains Manager” on page 3

Hypervisor and Logical DomainsThis section provides a brief overview of the SPARC hypervisor and the logicaldomains it supports.

The SPARC hypervisor is a small firmware layer that provides a stable virtualizedmachine architecture to which an operating system can be written. Sun servers usingthe hypervisor provide hardware features to support the hypervisor’s control over alogical operating system’s activities.

A logical domain is a discrete logical grouping with its own operating system,resources, and identity within a single computer system. Each logical domain can becreated, destroyed, reconfigured, and rebooted independently, without requiring apower cycle of the server. You can run a variety of applications software in differentlogical domains and keep them independent for performance and security purposes.

Each logical domain is allowed to observe and interact with only those serverresources made available to it by the hypervisor. Using the Logical DomainsManager, the system administrator specifies what the hypervisor should do through

1

the control domain. Thus, the hypervisor enforces the partitioning of the resources ofa server and provides limited subsets to multiple operating system environments.This is the fundamental mechanism for creating logical domains. The followingdiagram shows the hypervisor supporting two logical domains. It also shows thelayers that make up the Logical Domains functionality:

■ Applications, or user/services■ Kernel, or operating systems■ Firmware, or hypervisor■ Hardware, including CPU, memory, and I/O

FIGURE 1-1 Hypervisor Supporting Two Logical Domains

The number and capabilities of each logical domain that a specific SPARChypervisor supports are server-dependent features. The hypervisor can allocatesubsets of the overall CPU, memory, and I/O resources of a server to a given logicaldomain. This enables support of multiple operating systems simultaneously, eachwithin its own logical domain. Resources can be rearranged between separate logicaldomains with an arbitrary granularity. For example, memory is assignable to alogical domain with an 8-kilobyte granularity.

Each virtual machine can be managed as an entirely independent machine with itsown resources, such as:

■ Kernel, patches, and tuning parameters■ User accounts and administrators■ Disks

Logical Domain A Logical Domain B

User/Services

Kernel

Firmware

Hardware

H y p e r v i s o r

C P U , M e m o r y & I / O

Application

Application

Application

Operating System A Operating System B

2 Logical Domains (LDoms) 1.0 Administration Guide • May 2007

■ Network interfaces, MAC addresses, and IP addresses

Each virtual machine can be stopped, started, and rebooted independently of eachother without requiring a power cycle of the server.

The hypervisor software is responsible for maintaining the separation betweenlogical domains. The hypervisor software also provides logical domain channels(LDCs), so that logical domains can communicate with each other. Using logicaldomain channels, domains can provide services to each other, such as networking ordisk services.

The system controller monitors and runs the physical machine, but it does notmanage the virtual machines. The Logical Domains Manager runs the virtualmachines.

Logical Domains ManagerThe Logical Domains Manager is used to create and manage logical domains. Therecan be only one Logical Domains Manager per server. The Logical DomainsManager maps logical domains to physical resources.

Roles for Logical DomainsAll logical domains are the same except for the roles that you specify for them. Thereare multiple roles that logical domains can perform:

TABLE 1-1 Logical Domain Roles

Domain Role Description

Control domain Domain in which the Logical Domains Manager runs allowing you tocreate and manage other logical domains and allocate virtual resourcesto other domains. There can be only one control domain per server. Theinitial domain created when installing Logical Domains software is acontrol domain and is named primary.

Chapter 1 Overview of the Logical Domains Software 3

If you have an existing system and already have an operating system and othersoftware running on your server, that will be your control domain once you installthe Logical Domains Manager. You might want to remove some of your applicationsfrom the control domain once it is set up, and balance the load of your applicationsthroughout your domains to make the most efficient use of your system.

Command-Line InterfaceThe Logical Domains Manager provides a command-line interface (CLI) for thesystem administrator to create and configure logical domains.

To use the Logical Domains Manager CLI, you must have the Logical DomainsManager daemon, ldmd, running. The CLI is a single command, ldm(1M), withmultiple subcommands. The ldm(1M) command and its subcommands are describedin detail in Appendix A and the ldm(1M) man page.

To execute the ldm command, you must have the /opt/SUNWldm/bin directory inyour UNIX $PATH variable. To access the ldm(1M) man page, add the directory path/opt/SUNWldm/man to the variable $MANPATH. Both are shown as follows:

Service domain Domain that provides virtual device services to other domains, such as avirtual switch, a virtual console concentrator, and a virtual disk server.

I/O domain Domain which has direct ownership of and direct access to physical I/Odevices, such as a network card in a PCI Express controller. Shares thedevices to other domains in the form of virtual devices. You can have amaximum of two I/O domains, one of which also must be the controldomain.

Guest domain Domain that is managed by the control domain and uses services fromthe I/O and service domains.

# PATH=$PATH:/opt/SUNWldm/bin; export PATH (for Bourne or K shell)# MANPATH=$MANPATH:/opt/SUNWldm/man; export MANPATH

% set PATH=($PATH /opt/SUNWldm/bin) (for C shell)% set MANPATH=($MANPATH /opt/SUNWldm/man)

TABLE 1-1 Logical Domain Roles (Continued)

Domain Role Description


Virtual I/OIn a Logical Domains environment, an administrator can provision up to 32 domainson a Sun Fire or SPARC Enterprise T1000 or T2000 Server. Though each domain canbe assigned dedicated CPUs and memory, the limited number of I/O buses andphysical I/O slots in these systems makes it impossible to provide all domainsexclusive access to the disk and network devices. Though some physical devices canbe shared by splitting the PCI Express® (PCI-E) bus into two (see “Configuring SplitPCI Express Bus to Use Multiple Logical Domains” on page 57), it is not sufficient toprovide all domains exclusive device access. This lack of direct physical I/O deviceaccess is addressed by implementing a virtualized I/O model.

All logical domains with no direct I/O access are configured with virtual I/Odevices that communicate with a service domain, which runs a service to exportaccess to a physical device or its functions. In this client-server model, virtual I/Odevices either communicate with each other or a service counterpart throughinterdomain communication channels called Logical Domain Channels (LDCs). InLogical Domains 1.0 software, the virtualized I/O functionality comprises supportfor virtual networking, storage, and consoles.

Virtual Network

The virtual network support is implemented using two components: the virtualnetwork and virtual network switch device. The virtual network (vnet) deviceemulates an Ethernet device and communicates with other vnet devices in thesystem using a point-to-point channel. The virtual switch (vsw) device mainlyfunctions as a [de]multiplexor of all the virtual network’s incoming and outgoingpackets. The vsw device interfaces directly with a physical network adapter on aservice domain, and sends and receives packets on a virtual network’s behalf. Thevsw device also functions as a simple layer-2 switch and switches packets betweenthe vnet devices connected to it within the system.

Virtual Storage

The virtual storage infrastructure enables logical domains to access block-levelstorage that is not directly assigned to them through a client-server model. Itconsists of two components: a virtual disk client (vdc) that exports as a block deviceinterface; and a virtual disk service (vds) that processes disk requests on behalf ofthe virtual disk client and submits them to the physical storage residing on theservice domain. Although the virtual disks appear as regular disks on the clientdomain, all disk operations are forwarded to the physical disk through the virtualdisk service.


Virtual Consoles

In a Logical Domains environment, console I/O from all domains, except theprimary domain, is redirected to a service domain running the virtual consoleconcentrator (vcc) and virtual network terminal server (vntsd) services, instead ofthe systems controller. The virtual console concentrator service functions as aconcentrator for all domains’ console traffic, and interfaces with the virtual networkterminal server daemon and exports access to each console through a UNIX socket.

Dynamic ReconfigurationDynamic reconfiguration (DR) is the ability to add or remove resources while theoperating system is running. The Solaris 10 OS supports only the adding andremoving of virtual CPUs (vcpus). Dynamic reconfiguration of memory andinput/output is not supported in the Solaris 10 OS. To use the dynamicreconfiguration capability in the Logical Domains Manager CLI, you must have theLogical Domains dynamic reconfiguration daemon, drd(1M) running in the domainyou want to change.

Delayed ReconfigurationIn contrast to dynamic reconfiguration operations that take place immediately,delayed reconfiguration operations take effect after the next reboot of the OS or stopand start of the logical domain if no OS is running. Any add or remove operationson active logical domains, except add-vcpu, set-vcpu, and remove-vcpusubcommands, are considered delayed reconfiguration operations. In addition, theset-vswitch subcommand on an active logical domain is considered a delayedreconfiguration operation.

When the Logical Domains Manager is first installed and enabled (or when theconfiguration is restored to factory-default), the LDoms Manager runs in theconfiguration mode. In this mode, reconfiguration requests are accepted and queuedup, but are not acted upon. This allows a new configuration to be generated andstored to the SC without affecting the state of the running machine, and therefore,without being encumbered by any of the restrictions around things like delayedreconfiguration and reboot of I/O domains.

Once a delayed reconfiguration is in progress for a particular logical domain, anyother reconfiguration requests for that logical domain are also deferred until thedomain is rebooted or stopped and started. Also, when there is a delayedreconfiguration outstanding for one logical domain, reconfiguration requests forother logical domains are severely restricted and will fail with an appropriate errormessage.


Even though attempts to remove virtual I/O devices on an active logical domainwill be handled as a delayed reconfiguration operation, some configuration changedoes occur immediately. This means the device will in fact stop functioning as soonas the associated Logical Domains Manager CLI operation is invoked.

The Logical Domains Manager subcommand remove-reconf cancels delayedreconfiguration operations. You can list delayed reconfiguration operations by usingthe ldm list-domain command. See Appendix A or the ldm(1M) man page formore information about how to use the delayed reconfiguration feature.

Note – You cannot use the ldm remove-reconf command if any other ldmremove-* commands have been issued on virtual I/O devices. The ldm remove-reconf command fails in these circumstances.

Persistent ConfigurationsThe current configuration of a logical domain can be stored on the system controller(SC) using the Logical Domains Manager CLI commands. You can add aconfiguration, specify a configuration to be used, remove a configuration, and listthe configurations on the system controller (see Appendix A). In addition, there is aALOM CMT Version 1.3 command that enables you to select a configuration to boot(see “Using LDoms With ALOM CMT” on page 65).



CHAPTER 2

Security Considerations

The Solaris Security Toolkit software, informally known as the JumpStart™Architecture and Security Scripts (JASS) toolkit, provides an automated, extensible,and scalable mechanism to build and maintain secure Solaris OS systems. TheSolaris Security Toolkit provides security for devices critical to the management ofyour server, including the control domain in the Logical Domains Manager.

The Solaris Security Toolkit 4.2 software package, SUNWjass, provides the means tosecure the Solaris Operating System on your control domain through the use of theinstall-ldm script by:

■ Letting the Solaris Security Toolkit automatically harden your control domain byusing the Logical Domains Manager install script (install-ldm) and the controldriver specific to the Logical Domains Manager (ldm_control-secure.driver).

■ Selecting an alternative driver when using the install script.■ Selecting no driver when using the install script and applying your own Solaris

hardening.

The SUNWjass package is located with the Logical Domains (LDoms) Manager 1.0software package, SUNWldm, at Sun’s software download web site. You have theoption to download and install the Solaris Security Toolkit 4.2 software package atthe same time you download and install the Logical Domains Manager 1.0 software.The Solaris Security Toolkit 4.2 software package includes the required patches toenable the Solaris Security Toolkit software to work with the Logical DomainsManager. Once the software is installed, you can harden your system with SolarisSecurity Toolkit 4.2 software. Chapter 3 tells you how to install and configure theSolaris Security Toolkit, and harden your control domain.

Following are the security functions available to users of the Logical DomainsManager provided by the Solaris Security Toolkit:

■ Hardening – Modifying Solaris OS configurations to improve a system’s securityusing the Solaris Security Toolkit 4.2 software with required patches to enable theSolaris Security Toolkit to work with the Logical Domains Manager.

9

■ Authorization – Setting up authorization using the Solaris OS Role-Based AccessControl (RBAC) adapted for the Logical Domains Manager.

■ Auditing – Using the Solaris OS Basic Security Module (BSM) adapted for theLogical Domains Manager to identify the source of security changes to the systemto determine what was done, when it was done, by whom, and what wasaffected.

■ Compliance – Determining if a system’s configuration is in compliance with apredefined security profile using the Solaris Security Toolkit’s auditing feature.

Solaris Security Toolkit and the LogicalDomains ManagerChapter 3 tells you how to install the Solaris Security Toolkit to make it work withthe Logical Domains Manager. You would install the Solaris Security Toolkit on thecontrol domain, which is where the Logical Domains Manager runs. You can alsoinstall the Solaris Security Toolkit on the other logical domains. The only differencewould be that you would use the ldm_control-secure.driver to harden thecontrol domain and you would use another driver, such as the secure.driver, toharden the other logical domains. This is because the ldm_control-secure.driver is specific to the control domain. The ldm_control-secure.driver is based on the secure.driver and has been customized andtested for use with the Logical Domains Manager. Refer to the Solaris Security Toolkit4.2 Reference Manual for more information about the secure.driver.

HardeningThe driver (ldm_control-secure.driver) that Solaris Security Toolkit uses toharden the Solaris OS on the control domain is specifically tailored so that theLogical Domains Manager can run with the OS. The ldm_control-secure.driver is analogous to the secure.driver described in the SolarisSecurity Toolkit 4.2 Reference Manual.

The ldm_control-secure.driver provides a baseline configuration for thecontrol domain of a system running the Logical Domains Manager software. It isintended to provide fewer system services than typical for a Solaris OS domain,reserving the control domain for Logical Domains Manager operations, rather thangeneral usage.


The install-ldm script installs the Logical Domains Manager software if it is notalready installed, and enables the software.

Following is a short summary of the other notable changes from secure.driver.

■ The Telnet server is disabled from running. You can use Secure Shell (ssh)instead. You also can still use the Telnet client to access virtual consoles started bythe Logical Domains virtual network terminal server daemon (vntsd). For example,if a virtual console is running that is listening to TCP port 5001 on the local system,you can access it as follows.

See “Enabling the Virtual Network Terminal Server Daemon” on page 44 forinstructions on enabling vntsd. It is not automatically enabled.

■ The following finish scripts have been added. They enable the Logical DomainsManager to install and start. Some of these added scripts must be added to anycustomized drivers you make and some are optional. The scripts are marked as towhether they are required or optional.

– install-ldm.fin – Installs the SUNWldm package. (Required)– enable-ldmd.fin – Enables the Logical Domains Manager daemon (ldmd)

(Required)– enable-ssh-root-login.fin – Enables the superuser to directly log in

through the Secure Shell (ssh). (Optional)

■ The following files have changed. These changes are optional to make in anycustomized drivers you have and are marked as optional.

– /etc/ssh/sshd_config – Root account access is allowed for the entirenetwork. This file is not used in either driver. (Optional)

– /etc/ipf/ipf.conf – UDP port 161 (SNMP) is opened. (Optional)– /etc/host.allow – The Secure Shell daemon (sshd) is open for the entire

network, not just the local subnet. (Optional)

■ The following finish scripts are disabled (commented out). You should commentout the disable-rpc.fin script in any customized driver you make. Theother changes are optional. The scripts are marked as to whether they arerequired or optional.

– enable-ipfilter.fin – IP Filter, a network packet filter, is not enabled.(Optional)

– disable-rpc.fin – Leaves Remote Procedure Call (RPC) service enabled.The RPC service is used by many other system services, such as NetworkInformation Service (NIS) and Network File System (NFS). (Required)

– disable-sma.fin – Leaves the System Management Agent (NET-SNMP)enabled. (Optional)

– disable-ssh-root-login.fin – ssh root login cannot be disabled.– set-term-type.fin – Unneeded legacy script. (Optional)

# telnet localhost 5001

Chapter 2 Security Considerations 11

AuthorizationAuthorization for the Logical Domains Manager has two levels:

■ Read – allows you to view, but not modify the configuration.■ Read and write – allows you to view and change the configuration.

The changes are not made to the Solaris OS, but are added to the authorization fileby the package script postinstall when the Logical Domains Manager isinstalled. Similarly, the authorization entries are removed by the package scriptpreremove.

The following table lists the ldm subcommands with the corresponding userauthorization that is needed to perform the commands.

TABLE 2-1 ldm Subcommands and User Authorizations

ldm Subcommand*

* Refers to all the resources you can add, list, remove, or set.

User Authorization

add-* solaris.ldoms.write

bind-domain solaris.ldoms.write

list solaris.ldoms.read

list-* solaris.ldoms.read

remove-* solaris.ldoms.write

set-* solaris.ldoms.write

start-domain solaris.ldoms.write

stop-domain solaris.ldoms.write

unbind-domain solaris.ldoms.write


AuditingAuditing the Logical Domains Manager CLI commands is done with Solaris OS BSMAuditing. Refer to the Solaris 10 System Administration Guide: Security Services fordetailed information about using Solaris OS BSM Auditing.

BSM Auditing is not enabled by default for the Logical Domains Manager; however,the infrastructure is provided. You can enable BSM Auditing in one of two ways:

■ Run the enable-bsm.fin finish script in the Solaris Security Toolkit.■ Use the Solaris OS bsmconv(1M) command.

For further details about enabling, verifying, disabling, printing output, and rotatinglogs using BSM Auditing with the Logical Domains Manager, see “Enabling andUsing BSM Auditing” on page 67.

ComplianceSolaris Security Toolkit does have its own auditing capabilities. The Solaris SecurityToolkit software can automatically validate the security posture of any systemrunning the Solaris OS by comparing it with a predefined security profile. Refer to“Auditing System Security” in the Solaris Security Toolkit 4.2 Administration Guide formore information about this compliance function.

Chapter 2 Security Considerations 13


CHAPTER 3

Installing and Enabling Software

This chapter describes how to install and enable Logical Domains Manager 1.0software and other software on a control domain on the following servers:

■ Sun Fire T1000 Server■ Sun Fire T2000 Server■ SPARC Enterprise T1000 Server■ SPARC Enterprise T2000 Server■ Netra T2000 Server■ Netra CP3060 Blade■ Sun Blade T6300 Server Module

The following topics are covered in this chapter:

■ “Freshly Installing Software on the Control Domain” on page 15■ “Downloading Logical Domains Manager and Solaris Security Toolkit” on page

19■ “Installing Logical Domains Manager and Solaris Security Toolkit” on page 20■ “Enabling the Logical Domains Manager Daemon” on page 32■ “Creating Authorization and Profiles and Assigning Roles for User Accounts” on

page 33

Freshly Installing Software on theControl DomainThe first domain that is created when the Logical Domains Manager software isinstalled is the control domain. That first domain is named primary, and youcannot change the name. The following major components are installed on thecontrol domain.

■ Solaris 10 11/06 OS. See “To Install the Solaris OS” on page 16.

15

■ System firmware version 6.4.x for your server. See “To Upgrade SystemFirmware” on page 17.

■ Logical Domain Manager 1.0 software. See “Installing Logical Domains Managerand Solaris Security Toolkit” on page 20.

■ (Optional) Solaris Security Toolkit 4.2 software. See “Installing Logical DomainsManager and Solaris Security Toolkit” on page 20.

The Solaris OS and the system firmware must be installed on your server before youinstall the Logical Domains Manager. After the Solaris OS, the system firmware, andthe Logical Domains Manager have been installed, the original domain becomes thecontrol domain.

▼ To Install the Solaris OSInstall the Solaris 10 11/06 OS if it has not already been installed. Refer to the Solaris10 OS installation guide for complete instructions. You can tailor your installation tothe needs of your system.

Note – For logical domains, you can install the Solaris OS only to an entire disk or afile exported as a block device.

1. Install the Solaris 10 11/06 OS, and do the following:

a. Select the Entire Distribution for a regular installation or SUNWCall for aJumpStart installation.

b. Select the English, C locale.

2. Install the following Solaris 10 11/06 patches:

■ 124921-02, which contains updates to the Logical Domains 1.0 drivers andutilities. Logical Domains networking will be broken without this patch.

■ 125043-01, which contains updates to the console (qcn) drivers. This patchdepends on kernel update (KU) 118833-36, so if this is not already updated onyour system, you must install it also.

You can find the patches at the SunSolveSM site:

http://sunsolve.sun.com



▼ To Upgrade System FirmwareYou can find System Firmware 6.4.x at the SunSolve site:


This procedure describes how to upgrade system firmware using theflashupdate(1M) command on your system controller. If you do not have access toa local FTP server, see “To Upgrade System Firmware Without an FTP Server” onpage 18. If you want to update the system firmware from the control domain, referto your system firmware release notes. Refer to the administration guides or productnotes for the supported servers for more information about installing and updatingsystem firmware for these servers.

1. Shut down and power off the host server from either management port connectedto the system controller: serial or network.

2. Use the flashupdate(1M) command to upgrade the system firmware, dependingon your server.

Where:

■ IP-address is the IP address of your FTP server.■ path is the location in SunSolve or your own directory where you can obtain the

system firmware image.■ x is the version number of System Firmware 6.4.■ nn is the number of the build that applies to this release.■ server-name is the name of your server. For example, the server-name for the Sun

Fire T2000 server is Sun_Fire_T2000.

3. Reset the system controller.

# shutdown -i5 -g0 -yok #. (break to SC prompt)sc> poweroff -yf

sc> flashupdate -s IP-address -fpath/Sun_System_Firmware-6_4_x_build_nn-server-name.binusername: your-useridpassword: your-password

sc> resetsc -y

Chapter 3 Installing and Enabling Software 17


4. Power on and boot the host server.

▼ To Upgrade System Firmware Without an FTPServerIf you do not have access to a local FTP server to upload firmware to the systemcontroller, you can use the sysfwdownload utility, which is provided with yoursystem firmware upgrade package on the SunSolve site:


Run the sysfwdownload utility from within the Solaris OS.

1. Run the following commands within the Solaris OS:

2. Shut down the Solaris OS instance:

3. Power off and update the firmware on the system controller:

4. Reset and power on the system controller:

sc> poweronsc> console -fok boot disk

# cd firmware_location# sysfwdownload system_firmware_file

# shutdown -i5 -g0 -y

sc> poweroff -fysc> flashupdate -s 127.0.0.1

sc> resetsc -ysc> poweron



▼ To Downgrade System FirmwareOnce you have upgraded the system firmware for use with Logical Domainssoftware, you can downgrade the firmware to the original non–Logical Domainsfirmware.

● Run the flashupdate(1M) command and specify the path to the originalnon-Logical Domains firmware.

Downloading Logical Domains Managerand Solaris Security Toolkit

▼ To Download the Logical Domains Manager andSolaris Security Toolkit

1. Download the tar file (LDoms_Manager_1.0.tar.gz) containing the LogicalDomains Manager package (SUNWldm), the Solaris Security Toolkit (SUNWjass)and installation script (install-ldm) from the Sun Software Download site at:

http://www.sun.com/download/products.xml?id=462e6bd6

2. Unpack the tar file.

The directory structure for the downloaded software is similar to the following:

$ gunzip -c LDoms_Manager_1.0.tar.gz | tar xvf -

CODE EXAMPLE 3-1 Directory Structure for Downloaded Logical Domains 1.0 Software

LDoms_Manager_1.0/Install/

install-ldmLICENSEPatches/

118833-36.zip125043-01.zip124921-02.tar.Z

Product/


http://www.sun.com/download/products.xml?id=462e6bd6

Installing Logical Domains Manager andSolaris Security ToolkitThere are three methods of installing Logical Domains Manager and Solaris SecurityToolkit software:

■ Using the installation script to install the packages and patches. Thisautomatically installs both the Logical Domains Manager and the Solaris SecurityToolkit software. See “Using the Installation Script to Install the Logical DomainsManager 1.0 and Solaris Security Toolkit 4.2 Software” on page 20.

■ Using JumpStart to install the packages. See “Using JumpStart to Install theLogical Domains Manager 1.0 and Solaris Security Toolkit 4.2 Software” on page26.

■ Installing each package manually. See “Installing Logical Domains Manager andSolaris Security Toolkit Software Manually” on page 29.

Using the Installation Script to Install the LogicalDomains Manager 1.0 and Solaris Security Toolkit4.2 SoftwareIf you use the install-ldm installation script, you have three choices to specifyhow you want the script to run. Each choice is described in the procedures thatfollow.

■ Using the install-ldm script with no options – does the followingautomatically:

■ Checks that the Solaris OS release is Solaris 10 11/06■ Verifies that the package subdirectories SUNWldm/ and SUNWjass/ are present■ Verifies that the prerequisite Solaris Logical Domains driver packages,

SUNWldomr and SUNWldomu, are present■ Verifies that the SUNWldm and SUNWjass packages have not been installed

SUNWldm.v/SUNWjass/

README

CODE EXAMPLE 3-1 Directory Structure for Downloaded Logical Domains 1.0 Software (Continued)


Note – If the script does detect a previous version of SUNWjass during installation,you will need to remove it. You do not need to undo any previous hardening of yourSolaris OS.

■ Installs the Logical Domains Manager 1.0 software (SUNWldm package)■ Installs the Solaris Security Toolkit 4.2 software including required patches

(SUNWjass package)■ Verifies that all packages are installed■ Enables the Logical Domains Manager daemon, ldmd■ Hardens the Solaris OS on the control domain with the Solaris Security Toolkit

ldm_control-secure.driver or one of the other drivers ending in-secure.driver that you select.

■ Using the install-ldm script with option -d – allows you to specify a SolarisSecurity Toolkit driver other than a driver ending with -secure.driver. Thisoption automatically performs all the functions listed in the preceding choice withthe added option:

■ Hardens the Solaris OS on the control domain with the Solaris Security Toolkitcustomized driver that you specify; for example, theserver-secure-myname.driver.

■ Using the install-ldm script with option -d and specifying none – specifiesthat you do not want to harden the Solaris OS running on your control domain byusing the Solaris Security Toolkit. This option automatically performs all thefunctions except hardening listed in the preceding choices. Bypassing the use ofthe Solaris Security Toolkit is not suggested and should only be done when youintend to harden your control domain using an alternate process.

▼ To Install Using the install-ldm Script WithNo Options

1. Run the installation script with no options.

The installation script is part of the SUNWldm package and is in the Installsubdirectory.

If the process is successful, you receive messages similar to the following examples.

CODE EXAMPLE 3-2 shows a successful run of the install-ldm script if you choosethe following default security profile:

a) Hardened Solaris configuration for LDoms (recommended)

# Install/install-ldm


CODE EXAMPLE 3-2 Output From Hardened Solaris Configuration for LDoms

# Install/install-ldmWelcome to the LDoms installer.

You are about to install the domain manager package that will enableyou to create, destroy and control other domains on your system. Giventhe capabilities of the domain manager, you can now change the securityconfiguration of this Solaris instance using the Solaris SecurityToolkit.

Select a security profile from this list:

a) Hardened Solaris configuration for LDoms (recommended)b) Standard Solaris configurationc) Your custom-defined Solaris security configuration profile

Enter a, b, or c [a]: aThe changes made by selecting this option can be undone through theSolaris Security Toolkit’s undo feature. This can be done with the‘/opt/SUNWjass/bin/jass-execute -u’ command.

Installing LDoms and Solaris Security Toolkit packages.pkgadd -n -d "/var/tmp/install/Product/Logical_Domain_Manager" -a pkg_adminSUNWldm.vCopyright 2006 Sun Microsystems, Inc. All rights reserved.Use is subject to license terms.

Installation of <SUNWldm> was successful.pkgadd -n -d "/var/tmp/install/Product/Solaris_Security_Toolkit" -a pkg_adminSUNWjassCopyright 2005 Sun Microsystems, Inc. All rights reserved.Use is subject to license terms.

Installation of <SUNWjass> was successful.

Verifying that all packages are fully installed. OK.Enabling services: svc:/ldoms/ldmd:defaultRunning Solaris Security Toolkit 4.2.0 driver ldm_control-secure.driver.Please wait. . ./opt/SUNWjass/bin/jass-execute -q -d ldm_control-secure.driverExecuting driver, ldm_control-secure.driverSolaris Security Toolkit hardening executed successfully; log file/var/opt/SUNWjass/run/20070208142843/jass-install-log.txt. It will nottake effect until the next reboot. Before rebooting, make sure SSH orthe serial line is setup for use after the reboot.


CODE EXAMPLE 3-3 shows a successful run of the install-ldm script if you choosethe following security profile:

c) Your custom-defined Solaris security configuration profile

The drivers that are displayed for you to choose are drivers ending with-secure.driver. If you write a customized driver that does not end with-secure.driver, you must specify your customized driver with theinstall-ldm -d option. (See “To Install Using the install-ldm Script With the-d Option” on page 24.)

CODE EXAMPLE 3-3 Output From Choosing Customized Configuration Profile

# Install/install-ldmWelcome to the LDoms installer.

You are about to install the domain manager package that will enableyou to create, destroy and control other domains on your system. Giventhe capabilities of the domain manager, you can now change the securityconfiguration of this Solaris instance using the Solaris SecurityToolkit.

Select a security profile from this list:

a) Hardened Solaris configuration for LDoms (recommended)b) Standard Solaris configurationc) Your custom-defined Solaris security configuration profile

Enter a, b, or c [a]: cChoose a Solaris Security Toolkit .driver configuration profile fromthis list1) ldm_control-secure.driver2) secure.driver3) server-secure.driver4) suncluster3x-secure.driver5) sunfire_15k_sc-secure.driver

Enter a number 1 to 5: 2The driver you selected may not perform all the LDoms-specificoperations specified in the LDoms Administration Guide.Is this OK (yes/no)? [no] yThe changes made by selecting this option can be undone through theSolaris Security Toolkit’s undo feature. This can be done with the‘/opt/SUNWjass/bin/jass-execute -u’ command.

Installing LDoms and Solaris Security Toolkit packages.pkgadd -n -d "/var/tmp/install/Product/Logical_Domain_Manager" -a pkg_adminSUNWldm.vCopyright 2006 Sun Microsystems, Inc. All rights reserved.


2. Continue with “Enabling the Logical Domains Manager Daemon” on page 32.

▼ To Install Using the install-ldm Script Withthe -d Option

1. Run the installation script with the -d option to specify a Solaris Security Toolkitcustomized hardening driver; for example, server-secure-myname.driver.


If the process is successful, you receive messages similar to the following:

Use is subject to license terms.



Verifying that all packages are fully installed. OK.Enabling services: svc:/ldoms/ldmd:defaultRunning Solaris Security Toolkit 4.2.0 driver secure.driver.Please wait. . ./opt/SUNWjass/bin/jass-execute -q -d secure.driverExecuting driver, secure.driverSolaris Security Toolkit hardening executed successfully; log file/var/opt/SUNWjass/run/20070102142843/jass-install-log.txt. It will nottake effect until the next reboot. Before rebooting, make sure SSH orthe serial line is setup for use after the reboot.

# Install/install-ldm -d server-secure-myname.driver

CODE EXAMPLE 3-4 Output From Successful Run of the install-ldm -d Script

# Install/install-ldm -d server-secure.driverThe driver you selected may not perform all the LDoms-specificoperations specified in the LDoms Administration Guide.Installing LDoms and Solaris Security Toolkit packages.

CODE EXAMPLE 3-3 Output From Choosing Customized Configuration Profile (Continued)



▼ To Install Using the install-ldm Script Withthe -d none Option

1. Run the installation script with the -d none option to specify not to harden yoursystem using a Solaris Security Toolkit driver.


If the process is successful, you receive messages similar to the following:

pkgadd -n -d "/var/tmp/install/Product/Logical_Domain_Manager" -a pkg_adminSUNWldm.vCopyright 2006 Sun Microsystems, Inc. All rights reserved.Use is subject to license terms.



Verifying that all packages are fully installed. OK.Enabling services: svc:/ldoms/ldmd:defaultRunning Solaris Security Toolkit 4.2.0 driver server-secure-myname.driver.Please wait. . ./opt/SUNWjass/bin/jass-execute -q -d server-secure-myname.driverExecuting driver, server-secure-myname.driverSolaris Security Toolkit hardening executed successfully; log file/var/opt/SUNWjass/run/20061114143128/jass-install-log.txt. It will nottake effect until the next reboot. Before rebooting, make sure SSH orthe serial line is setup for use after the reboot.

# Install/install-ldm -d none

CODE EXAMPLE 3-4 Output From Successful Run of the install-ldm -d Script (Continued)



Using JumpStart to Install the Logical DomainsManager 1.0 and Solaris Security Toolkit 4.2SoftwareRefer to JumpStart Technology: Effective Use in the Solaris Operating Environment forcomplete information about using JumpStart.

▼ To Set Up a JumpStart Server■ If you have already set up a JumpStart server, proceed to “To Install Using

JumpStart Software” on page 27 of this administration guide.

■ If you have not already set up a JumpStart server, you must do so.

Refer to the Solaris 10 11/06 Installation Guide: Custom JumpStart and AdvancedInstallation for complete information about this procedure. You can find thisinstallation guide at:

http://docs.sun.com/app/doc/819-6397/

CODE EXAMPLE 3-5 Output From Successful Run of the install-ldm -d none Script

# Install/install-ldm -d noneInstalling LDoms and Solaris Security Toolkit packages.pkgadd -n -d "/var/tmp/install/Product/Logical_Domain_Manager" -a pkg_adminSUNWldm.vCopyright 2006 Sun Microsystems, Inc. All rights reserved.Use is subject to license terms.



Verifying that all packages are fully installed. OK.Enabling services: svc:/ldoms/ldmd:defaultSolaris Security Toolkit was not applied. Bypassing the use of theSolaris Security Toolkit is not recommended and should only beperformed when alternative hardening steps are to be taken.


http://docs.sun.com/app/doc/819-6397/

1. Refer to Chapter 3 “Preparing Custom JumpStart Installations (Tasks)” in theSolaris 10 11/06 Installation Guide: Custom JumpStart and Advanced Installation, andperform the following steps.

a. Read the task map in “Task Map: Preparing Custom JumpStart Installations.”

b. Set up networked systems with the procedures in “Creating a Profile Server forNetwork Systems.”

c. Create the rules file with the procedure in “Creating the rules File.”

2. Validate the rules file with the procedure in “Validating the rules File.”

The Solaris Security Toolkit provides profiles and finish scripts. Refer to the SolarisSecurity Toolkit 4.2 Reference Manual for more information about profiles and finishscripts.

▼ To Install Using JumpStart Software

1. Change to the directory where you have downloaded the Solaris Security Toolkitpackage (SUNWjass).

2. Install SUNWjass so that it creates the JumpStart (jumpstart) directory structure.

3. Use your text editor to modify the/jumpstart/opt/SUNWjass/Sysidcfg/Solaris_10/sysidcfg file to reflectyour network environment.

4. Copy the /jumpstart/opt/SUNWjass/Drivers/user.init.SAMPLE to/jumpstart/opt/SUNWjass/Drivers/user.init

5. Edit the user.init file to reflect your paths.

6. To install the Solaris Security Toolkit package (SUNWjass) onto the target systemduring a JumpStart install, you must place the package in theJASS_PACKAGE_MOUNT directory defined in your user.init file. For example:

# cd /path/to/download

# pkgadd -R /jumpstart -d . SUNWjass.v

# cp user.init.SAMPLE user.init

# cp -r /jumpstart/opt/SUNWjass /jumpstart/opt/SUNWjass/Packages


7. To install the Logical Domains Manager package (SUNWldm) onto the target systemduring a JumpStart install, you must place the package from the download area inthe JASS_PACKAGE_MOUNT directory defined in your user.init file. For example:

8. If you experience problems with a multihomed JumpStart server, modify the twoentries in the user.init file for JASS_PACKAGE_MOUNT and JASS_PATCH_MOUNTto the correct path to the JASS_HOME_DIR/Patches andJASS_HOME_DIR/Packages directories. Refer to the comments in theuser.init.SAMPLE file for more information.

9. Use the ldm_control-secure.driver as the basic driver for the LogicalDomains Manager control domain.

Refer to Chapter 4 in the Solaris Security Toolkit 4.2 Reference Manual for informationabout how to modify the driver for your use. The main driver in the Solaris SecurityToolkit that is the counterpart to the ldm_control-secure.driver is thesecure.driver.

10. After completing the modifications to the ldm_control-secure.driver, makethe correct entry in the rules file.

The entry should be similar to the following:

Note – If you undo hardening during a JumpStart install, you must run thefollowing SMF commands to restart the Logical Domains Manager.

# cp -r /path/to/SUNWldm /jumpstart/opt/SUNWjass/Packages

hostname imbulu - Profiles/oem.profile Drivers/ldm_control-secure-abc.driver

# svcadm enable svc:/ldoms/ldmd:default


Installing Logical Domains Manager and SolarisSecurity Toolkit Software ManuallyPerform the following procedures to install the Logical Domains Manager andSolaris Security Toolkit Software manually:

■ “To Download and Install the Logical Domains Manager (LDoms) 1.0 SoftwareManually” on page 29.

■ “(Optional) To Download and Install the Solaris Security Toolkit 4.2 SoftwareManually” on page 29.

■ “(Optional) To Harden the Control Domain Manually” on page 30.

▼ To Download and Install the Logical Domains Manager(LDoms) 1.0 Software Manually

1. Download the Logical Domains Manager 1.0 software, the SUNWldm package, fromthe Sun Software Download site at:

http://www.sun.com/download/products.xml?id=45b14cf9

2. Use the pkgadd(1M) command to install the SUNWldm package.

3. Answer y for yes to all questions in the interactive prompts.

4. Use the pkginfo(1) command to verify that the SUNWldm package for LogicalDomains Manager 1.0 software is installed.

The revision (REV) information shown below is an example.

▼ (Optional) To Download and Install the Solaris SecurityToolkit 4.2 Software Manually

Download and install the Solaris Security Toolkit software if you want to secureyour system.

See Chapter 2 for information about security considerations when using LogicalDomains Manager software. For further reference, you can find Solaris SecurityToolkit 4.2 documentation at:

http://www.sun.com/products-n-solutions/hardware/docs/Software/enterprise_computing/systems_management/sst/index.html

# pkgadd -d . SUNWldm.v

# pkginfo -l SUNWldm | grep VERSIONVERSION: 1.00,REV=2007.02.26.10.05





If you want to harden your system, download and install the SUNWjass package.The required patches (122608-03 and 125672-01) are included in the SUNWjasspackage.

1. Download the Solaris Security Toolkit 4.2 software, the SUNWjass package, fromthe Sun Software Download site at:


2. Use the pkgadd(1M) command to install the SUNWjass package.

3. Use the pkginfo(1) command to verify that the SUNWjass package for SolarisSecurity Toolkit 4.2 software is installed.

▼ (Optional) To Harden the Control Domain Manually

Perform this procedure only if you have installed the Solaris Security Toolkit 4.2package.

Note – When you use the Solaris Security Toolkit to harden the control domain, youdisable many system services and place certain restrictions on network access. Referto “Related Documentation” on page xviii in this book to find Solaris SecurityToolkit 4.2 documentation for more information.

1. Harden using the ldm_control-secure.driver.

You can use another driver to harden your system. You can also customize drivers totune the security of your environment. Refer to the Solaris Security Toolkit 4.2Reference Manual for more information about drivers and customizing them.

2. Answer y for yes to all questions in the interactive prompts.

3. Use the shutdown(1M) command to shut down your server to reboot for thehardening to take place.

# pkgadd -d . SUNWjass

# pkginfo -l SUNWjass | grep VERSIONVERSION: 4.2.0

# /opt/SUNWjass/bin/jass-execute -d ldm_control-secure.driver

# /usr/sbin/shutdown -y -g0 -i6



▼ To Validate Hardening

● Check whether the Logical Domains hardening driver(ldom_control-secure.driver) applied hardening correctly.

If you want to check on another driver, substitute that driver’s name in thiscommand example.

▼ To Undo Hardening

1. Undo the configuration changes applied by the Solaris Security Toolkit.

The Solaris Security Toolkit asks you which hardening runs you want to undo.

2. Select the hardening runs you want to undo.

3. Reboot the system so that the unhardened configuration takes place.

Note – If you undo hardening that was performed during a JumpStart installation,you must run the following SMF commands to restart the Logical Domains Managerand the Virtual Network Terminal Server Daemon.

# /opt/SUNWjass/bin/jass-execute -a ldom_control-secure.driver

# /opt/SUNWjass/bin/jass-execute -u

# /usr/sbin/shutdown -y -g0 -i6

# svcadm enable svc:/ldoms/ldmd:default


Enabling the Logical Domains ManagerDaemonThe installation script install-ldm automatically enables the Logical DomainsManager Daemon (ldmd). If you have installed the Logical Domains Managersoftware manually, you must enable the Logical Domains Manager daemon, ldmd,which allows you to create, modify, and control the logical domains.

▼ To Enable the Logical Domains ManagerDaemon

1. Use the svcadm(1M) command to enable the Logical Domains Manager daemon,ldmd:

2. Use the ldm list command to verify that the Logical Domains Manager isrunning.

You receive a message similar to the following, which is for the factory-defaultconfiguration. Note that the primary domain is active, which means that theLogical Domains Manager is running.

# svcadm enable ldmd

# cd /opt/SUNWldm/bin# /opt/SUNWldm/bin/ldm listName State Flags Cons VCPU Memory Util Uptimeprimary active ---c- SP 32 3264M 0.3% 19d 9m


Creating Authorization and Profiles andAssigning Roles for User AccountsYou set up authorization and profiles and assign roles for user accounts using theSolaris OS Role-Based Access Control (RBAC) adapted for the Logical DomainsManager. Refer to the Solaris 10 System Administration Collection for moreinformation about RBAC.

Authorization for the Logical Domains Manager has two levels:

■ Read – allows you to view, but not modify the configuration.■ Read and write – allows you to view and change the configuration.

Following are the Logical Domains entries automatically added to the Solaris OS/etc/security/auth_attr file:

■ solaris.ldoms.:::LDom administration::■ solaris.ldoms.grant:::Delegate LDom configuration::■ solaris.ldoms.read:::View LDom configuration::■ solaris.ldoms.write:::Manage LDom configuration::

Managing User Authorizations

▼ To Add an Authorization for a User

Use the following steps as necessary to add authorizations in the/etc/security/auth_attr file for Logical Domains Manager users. Because thesuperuser already has solaris.* authorization, the superuser already haspermission for solaris.ldoms.* authorizations.

1. Create a local user account for each user who needs authorization to use theldm(1M) subcommands.

Note – To add Logical Domains Manager authorization for a user, a local(non-LDAP) account must be created for that user. Refer to the Solaris 10 SystemAdministrator Collection for details.

2. Do one of the following depending on which ldm(1M) subcommands you wantthe user to be able to access.

See TABLE 2-1 for a list of ldm(1M) commands and their user authorizations.


■ Add a read-only authorization for a user using the usermod(1M) command.

■ Add a read and write authorization for a user using the usermod(1M)command.

▼ To Delete All Authorizations for a User

● Delete all authorizations for a local user account (the only possible option).

Managing User ProfilesThe SUNWldm package adds two system-defined RBAC profiles in the/etc/security/prof_attr file for use in authorizing access to the LogicalDomains Manager by non-superusers. The two LDoms-specific profiles are:

■ LDoms Review:::Review LDoms configuration:auths=solaris.ldoms.read

■ LDoms Management:::Manage LDoms domains:auths=solaris.ldoms.*

One of the preceding profiles can be assigned to a user account using the followingprocedure.

▼ To Add a Profile for a User

● Add an administrative profile for a local user account; for example, LDomsManagement.

▼ To Delete All Profiles for a User

● Delete all profiles for a local user account (the only possible option).

# usermod -A solaris.ldoms.read username

# usermod -A solaris.ldoms.write username

# usermod -A ‘‘ username

# usermod -P “LDoms Management” username

# usermod -P ‘‘ username


Assigning Roles to UsersThe advantage of using this procedure is that only a user who has been assigned aspecific role can assume the role. In assuming a role, a password is required if therole is given a password. This provide two layers of security. If a user has not beenassigned a role, then the user cannot assume the role (by doing the su role_namecommand) even if the user has the correct password.

▼ To Create a Role and Assign the Role to a User

1. Create a role.

2. Assign a password to the role.

3. Assign the role to a user; for example, user_1.

4. Assign a password to the user (user_1).

5. Provide access to the user for ldm subcommands that have read authorization.

6. Type the user password if or when prompted.

7. Type the id command to show the user:

# roleadd -A solaris.ldoms.read ldm_read

# passwd ldm_read

# useradd -R ldm_read user_1

# passwd user_1

# su ldm_read

# iduid=nn(ldm_read) gid=nn(group_name)



CHAPTER 4

Setting Up Services and LogicalDomains

This chapter describes the procedures necessary to set up default services, yourcontrol domain, and guest domains:

■ “Creating Default Services” on page 37■ “Initial Configuration of the Control Domain” on page 40■ “Rebooting to Use Logical Domains” on page 42■ “Enabling Networking Between the Control/Service Domain and Other

Domains” on page 42■ “Enabling the Virtual Network Terminal Server Daemon” on page 44■ “Creating and Starting a Guest Domain” on page 45■ “JumpStarting a Guest Domain” on page 49

Creating Default ServicesYou must create the following virtual default services initially to be able to use themlater:

■ vdiskserver – virtual disk server■ vswitch – virtual switch service■ vconscon – virtual console concentrator service

37

▼ To Create Default Services1. Create a virtual disk server (vds) to allow importing virtual disks into a logical

domain.

For example, the following command adds a virtual disk server (primary-vds0) tothe control domain (primary).

2. Create a virtual console concentrator service (vcc) for use by the virtual networkterminal server daemon (vntsd) and as a concentrator for all logical domainconsoles.

For example, the following command would add a virtual console concentratorservice (primary-vcc0) with a port range from 5000 to 5100 to the control domain(primary).

$ ldm add-vds primary-vds0 primaryNotice: the LDom Manager is running in configuration mode. Anyconfiguration changes made will only take effect after the machineconfiguration is downloaded to the system controller and the hostis reset.

$ ldm add-vcc port-range=5000-5100 primary-vcc0 primaryNotice: the LDom Manager is running in configuration mode. Anyconfiguration changes made will only take effect after the machineconfiguration is downloaded to the system controller and the hostis reset.


3. Create a virtual switch service (vsw) to enable networking between virtualnetwork (vnet) devices in logical domains. Assign a GLDv3-compliant networkadapter to the virtual switch if each of the logical domains needs to communicateoutside the box through the virtual switch.

For example, the following command would add a virtual switch service (primary-vsw0) on network adapter driver e1000g0 to the control domain (primary).

This command automatically allocates a MAC address to the virtual switch. If youwant, you can specify your own MAC address as an option to the ldm add-vswcommand. However, in that case, it is your responsibility to ensure that the MACaddress specified does not conflict with an already existing MAC address.

If the virtual switch being added replaces the underlying physical adapter as theprimary network interface, it must be assigned the MAC address of the physicaladapter, so that the Dynamic Host Configuration Protocol (DHCP) server assigns thedomain the same IP address. See “Enabling Networking Between theControl/Service Domain and Other Domains” on page 42.

4. Verify the services have been created by using the list-services subcommand.Your output should look similar to this:

$ ldm add-vsw net-dev=e1000g0 primary-vsw0 primaryNotice: the LDom Manager is running in configuration mode. Anyconfiguration changes made will only take effect after the machineconfiguration is downloaded to the system controller and the hostis reset.

$ ldm add-vsw mac-addr=2:04:4f:fb:9f:0d net-dev=e1000g0 primary-vsw0 primaryNotice: the LDom Manager is running in configuration mode. Any configurationchanges made will only take effect after the machine configuration is downloadedto the system controller and the host is reset.

$ ldm list-services primary...Vds: primary-vds0

vdsdev: vol0 device=/export/home/solaris_10.diskVcc: primary-vcc0

port-range=5000-5100Vsw: primary-vsw0

mac-addr=2:04:4f:fb:9f:0dnet-dev=e1000g0mode=prog,promisc

...

Chapter 4 Setting Up Services and Logical Domains 39

Initial Configuration of the ControlDomainInitially, all system resources are allocated to the control domain. To allow thecreation of other logical domains, you must release some of these resources.

▼ To Set Up the Control Domain

Note – The steps in this procedure contains examples of numbers of resources to setfor your control domain. These numbers are examples only, and the values used maynot be appropriate for your control domain.

1. Assign cryptographic resources to the control domain.

Note – If you have any cryptographic devices in the control domain, you cannotdynamically reconfigure CPUs. So if you are not using cryptographic devices, set-mau to 0.

The following example would assign one cryptographic resource to the controldomain, primary. This leaves the remainder of the cryptographic resourcesavailable to a guest domain.

$ ldm set-mau 1 primaryNotice: the LDom Manager is running in configuration mode. Anyconfiguration changes made will only take effect after the machineconfiguration is downloaded to the system controller and the hostis reset.


2. Assign virtual CPUs to the control domain.

For example, the following command would assign four virtual CPUs to the controldomain, primary. This leaves the remainder of the virtual CPUs available to a guestdomain.

3. Assign memory to the control domain.

For example, the following command would assign 1 gigabytes of memory to thecontrol domain, primary. This leaves the remainder of the memory available to aguest domain.

4. Add a logical domain machine configuration to the system controller (SC).

For example, the following command would add a configuration called initial.

5. Verify that the configuration is ready to be used at the next reboot.

This list subcommand shows that the factory-default configuration set iscurrently being used and the initial configuration set will be used once youreboot.

$ ldm set-vcpu 4 primaryNotice: the LDom Manager is running in configuration mode. Anyconfiguration changes made will only take effect after the machineconfiguration is downloaded to the system controller and the hostis reset.

$ ldm set-memory 4G primaryNotice: the LDom Manager is running in configuration mode. Anyconfiguration changes made will only take effect after the machineconfiguration is downloaded to the system controller and the hostis reset.

$ ldm add-config initial

$ ldm list-configfactory-default [current]initial [next]


Rebooting to Use Logical DomainsYou must reboot the control/service for the preceding changes to take effect and theresources to be released for other logical domains to use.

▼ To Reboot to Use Logical Domains● Shut down and reboot the primary domain, which is also the service domain in

our examples.

Enabling Networking Between theControl/Service Domain and OtherDomainsBy default, networking between the control/service domain and other domains inthe system is disabled. To enable this, the virtual switch device should be configuredas a network device. The virtual switch can either replace the underlying physicaldevice (e1000g0 in this example) as the primary interface or be configured as anadditional network interface in the domain.

Note – Perform the following configuration steps from the domain’s console, as theprocedure could temporarily disrupt network connectivity to the domain.

primary# shutdown -y -g0 -i6


▼ To Configure the Virtual Switch as the PrimaryInterface

1. Print out the addressing information for all interfaces.

2. Plumb the virtual switch. In this example, vsw0 is the virtual switch beingconfigured.

3. (Optional) To obtain the list of all virtual switch instances in a domain, you canlist them by doing the following:

4. Unplumb the physical network device assigned to the virtual switch (net-dev),which is e1000g0 in this example.

5. To migrate properties of the physical network device (e1000g0) to the virtualswitch (vsw0) device, do one of the following:

■ If networking is configured using a static IP address, reuse the IP address andnetmask of e1000g0 for vsw0.

■ If networking is configured using DHCP, enable DHCP for vsw0.

primary# ifconfig -a

primary# ifconfig vsw0 plumb

primary# /usr/sbin/dladm show-link | grep vswvsw0 type: non-vlan mtu: 1500 device: vsw0

primary# ifconfig e1000g0 down unplumb

primary# ifconfig vsw0 IP_of_e1000g0 netmask netmask_of_e1000g0 broadcast + up

primary# ifconfig vsw0 dhcp start


6. Make the required configuration file modifications to make this changepermanent.

Note – If necessary, you can also configure the virtual switch as well as the physicalnetwork device. In this case, plumb the virtual switch as in Step 2, and do notunplumb the physical device (skip Step 4). The virtual switch must then beconfigured with either a static IP address or obtain a dynamic IP address from aDHCP server.

Enabling the Virtual Network TerminalServer DaemonYou must enable the virtual network terminal server daemon (vntsd) to provideaccess to the virtual console of each logical domain. Refer to the Solaris 10 OSReference Manual collection or the vntsd(1M) man page for information about howto use this daemon.

▼ To Enable the Virtual Network Terminal ServerDaemon

Note – Be sure you have created the default service vconscon on the controldomain before you enable vntsd. See “Creating Default Services” on page 37 formore information.

1. Use the svcadm(1M) command to enable the virtual network terminal serverdaemon, vntsd(1M).

primary# mv /etc/hostname.e1000g0 /etc/hostname.vsw0primary# mv /etc/dhcp.e1000g0 /etc/dhcp.vsw0

# svcadm enable vntsd


2. Use the svcs(1) command to verify that the vntsd is enabled.

Creating and Starting a Guest DomainThe guest domain must run an operating system that understands both the sun4vplatform and the virtual devices presented by the hypervisor. Currently, this is theSolaris 10 11/06 OS with required patches 124921-02 and 125043-01 (with KU 118833-36). Once you have created default services and reallocated resources from thecontrol domain, you can create and start a guest domain.

▼ To Create and Start a Guest Domain1. Create a logical domain.

For example, the following command would create a guest domain named ldg1.

2. Add CPUs to the guest domain.

For example, the following command would add four virtual CPUs to guest domainldg1.

# svcs -l vntsdfmri svc:/ldoms/vntsd:defaultname virtual network terminal serverenabled truestate onlinenext_state nonestate_time Sat Jan 27 03:14:18 2007logfile /var/svc/log/ldoms-vntsd:default.logrestarter svc:/system/svc/restarter:defaultcontract_id 93dependency optional_all/error svc:/milestone/network (online)dependency optional_all/none svc:/system/system-log (online)

$ ldm add-domain ldg1

$ ldm add-vcpu 4 ldg1


3. Add memory to the guest domain.

For example, the following command would add 512 megabytes of memory to guestdomain ldg1.

4. Add a virtual network device to the guest domain.

For example, the following command would add a virtual network device withthese specifics to the guest domain ldg1:

■ vnet1 is a unique interface name to the logical domain, assigned to this virtualnetwork device instance for reference on subsequent set-vnet or remove-vnetsubcommands.

■ primary-vsw0 is the name of an existing network service (virtual switch) towhich to connect.

5. Specify the device to be exported by the virtual disk server as a virtual disk to theguest domain.

You can export a physical disk, disk slice, volumes, or file as a block device.Exporting loopback (lofi) devices as block devices is not supported in this releaseof Logical Domains software. The following examples show a physical disk and afile.

■ Physical Disk Example. The first example adds a physical disk with thesespecifics.

Where:

■ /dev/dsk/c0t0d0s2 is the path name of the actual physical device. Whenadding a device, the path name must be paired with the device name.

■ vol1 is a unique name you must specify for the device being added to thevirtual disk server. The device name must be unique to this virtual disk serverinstance, because this name is exported by this virtual disk server to the clientsfor adding. When adding a device, the device name must be paired with thepath name of the actual device.

■ primary-vds0 is the name of the virtual disk server to which to add thisdevice.

$ ldm add-memory 512m ldg1

$ ldm add-vnet vnet1 primary-vsw0 ldg1

$ ldm add-vdsdev /dev/dsk/c0t0d0s2 vol1@primary-vds0


■ File Example. This second example is exporting a file as a block device.

Where:

■ path_to_file/filename is the path name of the actual file exported as a blockdevice. When adding a device, the path name must be paired with the devicename.

■ vol1 is a unique name you must specify for the device being added to thevirtual disk server. The device name must be unique to this virtual disk serverinstance, because this name is exported by this virtual disk server to the clientsfor adding. When adding a device, the device name must be paired with thepath name of the actual device.

■ primary-vds0 is the name of the virtual disk server to which to add thisdevice.

6. Add a virtual disk to the guest domain.

The following example adds a virtual disk to the guest domain ldg1.

Where:

■ vdisk1 is the name of the virtual disk.

■ vol1 is the name of the existing virtual disk server device to which to connect.

■ primary-vds0 is the name of the existing virtual disk server to which toconnect.

Note – The virtual disks are generic block devices that are backed by different typesof physical devices, volumes, or files. A virtual disk is not synonymous with a SCSIdisk and, therefore, excludes the target ID in the disk label. Virtual disks in a logicaldomain have the following format: cNdNsN, where cN is the virtual controller, dNis the virtual disk number, and sN is the slice.

$ ldm add-vdsdev path_to_file/filename vol1@primary-vds0

$ ldm add-vdisk vdisk1 vol1@primary-vds0 ldg1


7. Set auto-boot and boot-device variables for the guest domain.

The first example command sets auto-boot\? to true for guest domain ldg1.

The second example command sets boot-device to vdisk for the guest domainldg1.

8. Bind resources to the guest domain ldg1 and then list the domain to verify that itis bound.

9. To find the console port of the guest domain, you can look at the output of thepreceding list-domain subcommand.

You can see under the heading Cons that logical domain guest 1 (ldg1) has itsconsole output bound to port 5001.

10. Start the guest domain ldg1.

11. Connect to the console of a guest domain. There are several ways you can do this.

■ For example, you can connect directly to the console port on the local host:

■ You can also connect to a guest console over a network if it is enabled in thevntsd(1M) SMF manifest. For example:

$ ldm set-var auto-boot\?=true ldg1

$ ldm set-var boot-device=vdisk ldg1

$ ldm bind-domain ldg1$ ldm list-domain ldg1Name State Flags Cons VCPU Memory Util Uptimeldg1 bound ----- 5001 4 512m

$ ldm start-domain ldg1

$ ssh [email protected]$ telnet localhost 5001

$ telnet host-name 5001


A Service Management Facility manifest is an XML file that describes a service.For more information about creating an SMF manifest, refer to the Solaris 10Collection.

JumpStarting a Guest DomainIf you are JumpStarting a guest domain, you would use a normal JumpStartprocedure with the following profile syntax changes from a regular Solaris OSJumpStart to a JumpStart specific to LDoms as shown in the following twoexamples.

Normal JumpStart Profile

Virtual disk device names in a logical domain differ from physical disk devicenames in that they do not contain a target ID (tN) in the device name. Instead of thenormal cNtNdNsN format, virtual disk device names are of the format cNdNsN,where cN is the virtual controller, dN is the virtual disk number, and sN is the slice.Modify your JumpStart profile to reflect this change as in the following profileexample.

Actual Profile Used for a Logical Domain

filesys c1t1d0s0 free /filesys c1t1d0s1 2048 swapfilesys c1t1d0s5 120 /spare1filesys c1t1d0s6 120 /spare2

filesys c0d0s0 free /filesys c0d0s1 2048 swapfilesys c0d0s5 120 /spare1filesys c0d0s6 120 /spare2



CHAPTER 5

Other Information and Tasks

This chapter contains the following information and tasks that you need to knowabout in using the Logical Domains Manager:

■ “Stopping, Unbinding, and Deleting a Guest Logical Domain” on page 52■ “Assigning MAC Addresses” on page 53■ “CPU and Memory Address Mapping” on page 53■ “Configuring Split PCI Express Bus to Use Multiple Logical Domains” on page 57■ “Enabling the I/O MMU Bypass Mode on a PCI Bus” on page 60■ “Operating the Solaris OS With Logical Domains” on page 62■ “Moving a Logical Domain From One Server to Another” on page 64■ “Using LDoms With ALOM CMT” on page 65■ “Accessing the ldm(1M) Man Page” on page 66■ “Enabling and Using BSM Auditing” on page 67■ “Using ldm list Subcommands” on page 70■ “Using Console Groups” on page 83■ “Configuring Virtual Switch and Service Domain for NAT and Routing” on page

84■ “Using ZFS With Virtual Disks” on page 85■ “Using Volume Managers in a Logical Domains Environment” on page 91■ “Configuring IPMP in a Logical Domains Environment” on page 95

51

Stopping, Unbinding, and Deleting aGuest Logical DomainThis section describes how to stop, unbind, and remove a guest domain.

▼ To Stop, Unbind, and Remove a Guest Domain1. Stop the guest domain ldg1 by using this command.

Note – The stop-domain subcommand sends a shutdown(1M) request to thelogical domain if the Solaris OS is booted. If the domain cannot be stopped by anyother means, use the -f option of the stop-domain subcommand to force thedomain to stop.

2. Release all the resources attached to (unbind) the guest domain ldg1.

3. Remove the guest domain ldg1.

$ ldm stop-domain ldg1

$ ldm unbind-domain ldg1

$ ldm remove-domain ldg1


Assigning MAC AddressesIn the Logical Domains Manager, you can manually assign MAC addresses to thevirtual network (vnet) and the virtual switch (vswitch), or you can have theLogical Domains Manager automatically assign the MAC addresses.

The advantage to having the Logical Domains Manager assign the MAC addresses isthat it utilizes the block of MAC addresses dedicated for use with logical domains.Also, the Logical Domains Manager detects and prevents MAC address collisionswith other Logical Domains Manager instances on the same subnet. This means thatthe odds of having a MAC address collision with automatic allocation is quite small.

MAC address assignment for virtual network devices happens as soon as the virtualdevice (vnet or vswitch) is configured into a domain. In addition, the assignmentis persistent until the device, or the logical domain itself, is removed.

CPU and Memory Address MappingThe Solaris Fault Management Architecture (FMA) reports CPU errors in terms ofphysical CPU numbers and memory errors in terms of physical memory addresses.

If you want to determine within which logical domain an error occurred and thecorresponding virtual CPU number or real memory address within the domain, thenyou must perform a mapping.

CPU MappingThe domain and the virtual CPU number within the domain, which correspond to agiven physical CPU number, can be determined as follows.

▼ To Determine the CPU Number

1. Generate a long list for all domains.

2. Look for the entry in the list’s Vcpu: sections that has a pid field equal to thephysical CPU number.

# ldm ls -l

Chapter 5 Other Information and Tasks 53

a. If you find such an entry, the CPU is in the domain the entry is listed under,and the virtual CPU number within the domain is given by the entry’s vid field.

b. If you do not find such an entry, the CPU is not in any domain.

Memory MappingThe domain and the real memory address within the domain, which correspond to agiven physical memory address (PA), can be determined as follows.

▼ To Determine the Real Memory Address

1. Generate a long list for all domains.

2. Look for the line in the list’s Memory: sections where the PA falls within theinclusive range phys-addr to (phys-addr + size - 1): that is, phys-addr <= PA <(phys-addr + size - 1).

Here phys-addr and size refer to the values in the corresponding fields of the line.

a. If you find such an entry, the PA is in the domain the entry is listed under andthe corresponding real address within the domain is given by real-addr + (PA -phys-addr).

b. If you do not find such an entry, the PA is not in any domain.

ExampleSuppose you have a logical domain configuration as shown in CODE EXAMPLE 5-1,and you want to determine the domain and the virtual CPU corresponding tophysical CPU number 5, and the domain and the real address corresponding tophysical address 0x7e816000.

Looking through the Vcpu: entries in the list for the one with the pid field equal to5, you can find the following entry under logical domain ldg1:

# ldm ls -l

vid pid util strand1 5 29% 100%


Hence, the physical CPU number 5 is in domain ldg1 and within the domain it hasvirtual CPU number 1.

Looking through the Memory: entries in the list, you can find the following entryunder domain ldg2:

Where 0x78000000 <= 0x7e816000 < (0x78000000 + 0x40000000 - 1), that is, phys-addr< PA < (phys-addr + size - 1).

Hence, the PA is in domain ldg2 and the corresponding real address is 0x8000000 +(0x7e816000 - 0x78000000) = 0xe816000.

real-addr phys-addr size0x8000000 0x78000000 1G

CODE EXAMPLE 5-1 Long List of Logical Domain Configuration

# ldm ls -lName: primaryState: activeFlags: normal,control,vio serviceOS: Solaris runningUtil: 0.8%Uptime: 2d 21h 9mVcpu: 4

vid pid util strand0 0 1.2% 100%1 1 0.7% 100%2 2 0.7% 100%3 3 0.6% 100%

Mau: 1mau cpuset (0, 1, 2, 3)

Memory: 1Greal-addr phys-addr size0x8000000 0x8000000 1G

Vars: reboot-command=bootIO: pci@780 (bus_a)

pci@7c0 (bus_b)Vldc: primary-vldc0 [num_clients=5]Vldc: primary-vldc3 [num_clients=7]Vds: primary-vds0 [num_clients=2]

vdsdev: disk-ldg1 device=/opt/ldoms/testdisk.1vdsdev: disk-ldg2 device=/opt/ldoms/testdisk.2

Vcc: primary-vcc0 [num_clients=2]port-range=5000-5100

Vsw: primary-vsw0 [num_clients=2]mac-addr=0:14:4f:f8:7:26


net-dev=e1000g0mode=prog,promisc

Vcons: SP----------------------------------------------------------------------------Name: ldg1State: activeFlags: normalOS: Solaris runningUtil: 1.8%Uptime: 10mVcpu: 2

vid pid util strand0 4 29% 100%1 5 29% 100%

Memory: 768Mreal-addr phys-addr size0x8000000 0x48000000 768M

Vars: auto-boot?=trueboot-device=/virtual-devices@100/channel-devices@200/disk@0

Vnet: netmac-addr=0:14:4f:f8:75:3service: primary-vsw0 @ primary

Vdisk: vdisk-1 disk-ldg1@primary-vds0service: primary-vds0 @ primary

Vcons: group1@primary-vcc0 [port:5000]----------------------------------------------------------------------------Name: ldg2State: activeFlags: normalOS: Solaris runningUtil: 9.5%Uptime: 3mVcpu: 3

vid pid util strand0 6 35% 100%1 7 34% 100%2 8 35% 100%


Vars: auto-boot?=trueboot-device=/virtual-devices@100/channel-devices@200/disk@0

Vnet: netmac-addr=0:14:4f:f8:50:74service: primary-vsw0 @ primary

Vdisk: vdisk-2 disk-ldg2@primary-vds0

CODE EXAMPLE 5-1 Long List of Logical Domain Configuration (Continued)


Configuring Split PCI Express Bus to UseMultiple Logical DomainsThe PCI Express (PCI-E) bus on a supported server consists of two ports withvarious leaf devices attached to them. These are identified on a server with thenames pci@780 (bus_a) and pci@7c0 (bus_b). In a multidomain environment,the PCI-E bus can be programmed to assign each leaf to a separate domain using theLogical Domains Manager. Thus, you can enable more than one domain with directaccess to physical devices instead of using I/O virtualization.

When the Logical Domains system is powered on, the control (primary) domainuses all the physical device resources, so the primary domain owns both the PCI-Ebus leaves.

Caution – All internal disks on the supported servers are connected to a single leaf.If a control domain is booted from an internal disk, do not remove that leaf from thedomain. Also, ensure that you are not removing the leaf with the primary networkport. If you remove the wrong leaf from the control or service domain, that domainwould not be able to access required devices and would become unusable. If theprimary network port is on a different bus than the system disk, then move thenetwork cable to an onboard network port and use the Logical Domains Manager toreconfigure the virtual switch (vsw) to reflect this change.

▼ To Create a Split PCI ConfigurationThe example shown here is for a Sun Fire T2000 Server. This procedure also can beused on a Sun Fire T1000 Server and a Netra T2000 Server. The instructions fordifferent servers might vary slightly from these, but you can obtain the basicprinciples from the example. Mainly, you need to retain the leaf that has the bootdisk and remove the other leaf from the primary domain and assign it to anotherdomain.

service: primary-vds0 @ primaryVcons: group2@primary-vcc0 [port:5001]#

CODE EXAMPLE 5-1 Long List of Logical Domain Configuration (Continued)


1. Verify that the primary domain owns both leaves of the PCI Express bus byusing the following command:

2. Determine the device path of the boot disk, which needs to be retained.

3. Determine the physical device to which the block device c1t0d0s0 is linked.

In this example, the physical device for the boot disk for domain primary is underthe leaf pci@7c0, which corresponds to our earlier listing of bus_b. This means thatwe can assign bus_a (pci@780) of the PCI-Express bus to another domain.

4. Check /etc/path_to_inst to find the physical path of the onboard networkports.

5. Remove the leaf that does not contain the boot disk (pci@780 in this example)from the primary domain.

$ ldm list-bindings primary...

IO: pci@780 (bus_a)pci@7c0 (bus_b)

...

primary# df // (/dev/dsk/c1t0d0s0 ): 1309384 blocks 457028 files

primary# ls -l /dev/dsk/c1t0d0s0lrwxrwxrwx 1 root root 65 Feb 2 17:19 /dev/dsk/c1t0d0s0 -> ../../devices/pci@7c0/pci@0/pci@1/pci@0,2/LSILogic,sas@2/sd@0,0:a

primary# grep e1000g /etc/path_to_inst

primary# ldm remove-io pci@780 primary


6. Add this split PCI configuration (split-cfg in this example) to the systemcontroller.

This configuration (split-cfg) is also set as the next configuration to be used afterthe reboot.

7. Reboot the primary domain so that the change takes effect.

8. Add the leaf (pci@780 in this example) to the domain (ldg1 in this example) thatneeds direct access.

If you have an Infiniband card, you might need to enable the bypass mode on thepci@780 bus. See “Enabling the I/O MMU Bypass Mode on a PCI Bus” on page 60for a discussion of whether or not you need to enable the bypass mode.

9. Reboot domain ldg1 so that the change takes effect.

All domains must be inactive for this reboot. If you are configuring this domain forthe first time, the domain will be inactive.

primary# ldm add-config split-cfg

primary# shutdown -i6 -g0 -y

primary# ldm add-io pci@780 ldg1Notice: the LDom Manager is running in configuration mode. Anyconfiguration changes made will only take effect after the machineconfiguration is downloaded to the system controller and the hostis reset.

ldg1# shutdown -i6 -g0 -y


10. Confirm that the correct leaf is still assigned to the primary domain and thecorrect leaf is assigned to domain ldg1.

This output confirms that the PCI-E leaf bus_b and the devices below it are assignedto domain primary, and bus_a and its devices are assigned to ldg1.

Enabling the I/O MMU Bypass Mode ona PCI BusIf you have an Infiniband Host Channel Adapter (HCA) card, you might need toturn the I/O memory management unit (MMU) bypass mode on. By default, LogicalDomains software controls PCI-E transactions so that a given I/O device or PCI-Eoption can only access the physical memory assigned within the I/O domain. Anyattempt to access memory of another guest domain is prevented by the I/O MMU.This provides a higher level of security between the I/O domain and all otherdomains. However, in the rare case where a PCI-E or PCI-X option card does notload or operate with the I/O MMU bypass mode off, this option allows you to turnthe I/O MMU bypass mode on. However, if you turn the bypass mode on, there nolonger is a hardware-enforced protection of memory accesses from the I/O domain.

primary# ldm list-bindings primaryName: primaryState: activeFlags: transition,control,vio serviceOS:Util: 0.3%Uptime: 15mVcpu: 4...IO: pci@7c0 (bus_b)....----------------------------------------------------------------Name: ldg1State: activeFlags: transitionOS:Util: 100%Uptime: 6mVcpu: 1...IO: pci@780 (bus_a)...


The bypass=on option turns on the I/O MMU bypass mode. This bypass modeshould be enabled only if the respective I/O domain and I/O devices within thatI/O domain are trusted by all guest domains. This example turns on the bypassmode.

This example shows what the I/O information on a list for an unconfigured primarydomain looks like:

This example shows what the I/O information on a list for a configured primarydomain looks like

This example shows what the I/O information on a list for a guest domain with I/OMMU bypass mode enabled on pci@7c0 (inactive) looks like

This example shows what the I/O information on a list for a guest domain with I/OMMU bypass mode enabled on pci@7c0 (bound) looks like

# ldm add-io bypass=on pci@780 ldg1

...IO: pci@780 (bus_a)

(in IO MMU bypass mode)pci@7c0 (bus_b)

(in IO MMU bypass mode)...

...IO: pci@780 (bus_a)

pci@7c0 (bus_b)...

...IO: pci@7c0

(IO MMU bypass mode requested)...

...IO: pci@7c0 (bus_b)

(in IO MMU bypass mode)


Operating the Solaris OS With LogicalDomainsThis section describes the following changes in behavior in using the Solaris OS thatoccur once a configuration created by the Logical Domains Manager is instantiated;that is, domaining is enabled:

■ “After a Solaris OS Shutdown” on page 62■ “After a Solaris OS Break Key Sequence (L1-A)” on page 62■ “After Halting or Rebooting the Primary Domain” on page 63■ “Some format(1M) Command Options Do Not Work With Virtual Disks” on

page 63

After a Solaris OS ShutdownIf domaining is not enabled, the Solaris OS normally goes to the OpenBoot™ promptafter a shutdown(1M) command is issued. With domaining enabled, you receive thefollowing prompt after shutdown:

Type the letter that represents what you want the system to do after the shutdown.

After a Solaris OS Break Key Sequence (L1-A)If domaining is not enabled, the Solaris OS normally goes to the OpenBoot promptafter a break key sequence (L1-A) is issued. With domaining enabled, you receive thefollowing prompt after this type of break:

Type the letter that represents what you want the system to do after this type ofbreak.

r)eboot, o)k prompt, h)alt?

c)ontinue, s)ync, r)eboot, h)alt?


After Halting or Rebooting the Primary DomainThe following table shows the expected behavior of halting or rebooting theprimary domain.

When you type halt at the Solaris OS prompt, you receive the following prompt:

If you select h)alt or r)eboot, the behavior in Table 5-1 applies. If you select theo)k prompt, the behavior is to reboot the domain and return the domain to the okprompt. This is not the same as dropping to the ok prompt when domaining isdisabled.

A soft reboot restarts the domain with the system controller or Virtual Blade SystemController (vBSC) involvement. This results in doing a soft reset of the PCIframework.

Some format(1M) Command Options Do NotWork With Virtual DisksThe Solaris OS format(1M) command does not work in a guest domain with virtualdisks:

■ Some subcommands, such as label, verify, or inquiry fail with virtual disks.

■ The format(1M) command might display messages, such as:

■ Inquiry failed■ Disk unformatted

TABLE 5-1 Expected Behavior of Halting or Rebooting the Primary Domain

Action DomainingEnabled?

OtherDomainConfigured?

Behavior

Halt Disabled N/A Drops to the ok prompt

Enabled No Powers off the host

Enabled Yes Soft resets the host

Reboot Disabled N/A Powers off and powers on the host

Enabled No Powers off and powers on the host

Enabled Yes Soft resets the host

r)eboot, o)k prompt, h)alt?


■ Current disk is unformatted■ Drive type unknown

■ The format(1M) command crashes when you select a virtual disk that has anExtensible Firmware Interface (EFI) disk label.

■ When running the format(1M) command in a guest domain, all virtual disks areseen as unformatted, even when they are correctly formatted and have a validdisk label.

For getting or setting the volume table of contents (VTOC) of a virtual disk, use theprtvtoc(1M) command and fmthard(1M) command instead of the format(1M)command. You also can use the format(1M) command from the service domain onthe real disks.

Moving a Logical Domain From OneServer to AnotherYou can move a logical domain that is not running from one server to another.Before you move the domain, if you set up the same domain on two servers, thedomain will be easier to move. In fact you do not have to move the domain itself;you only have to unbind and stop the domain on one server and bind and start thedomain on the other server.

During domain setup, do the following:

1. Create a domain with the same name on two servers; for example, createdomainA1 on serverA and serverB.

2. Add a virtual disk server device and a virtual disk to both servers. The virtualdisk server opens the underlying device for export as part of the bind.

3. Bind the domain only on one server; for example, serverA. Leave the domaininactive on the other server.

When it comes time to move the domain, do the following:

1. Unbind and stop the domain on serverA.

2. Bind and start the domain on serverB.

Note – No resources are used until you bind the domain.


Using LDoms With ALOM CMTThe section describes information to be aware of in using Advanced Lights OutManager (ALOM) Chip Multithreading (CMT) with the Logical Domains Manager.For more information about using the ALOM CMT software, refer to the AdvancedLights Out Management (ALOM) CMT v1.3 Guide.

Caution – The ALOM CMT documentation refers to only one domain, so you mustbe aware that the Logical Domains Manager is introducing multiple domains. If alogical domain is restarted, I/O services for guest domains might be unavailableuntil the control domain has restarted. This is because the control domain functionsas a service domain in the Logical Domains Manager 1.0 software. Guest domainsappear to freeze during the reboot process. Once the control domain has fullyrestarted, the guest domains resume normal operations. It is only necessary to shutdown guest domains when power is going to be removed from the entire server. See“Stopping, Unbinding, and Deleting a Guest Logical Domain” on page 52 for details.

An additional option is available to the existing ALOM CMT command:

bootmode [normal|reset_nvram|bootscript=strong|config=”config-name”]

The config=”config-name” option enables you to set the configuration on the nextpower on to another configuration, including the factory-default shippingconfiguration.

You can invoke the command whether the host is powered on or off. It takes effecton the next host reset or power on.

▼ To Reset the Logical Domain Configuration tothe Default or Another Configuration

● Reset the logical domain configuration on the next power on to the defaultshipping configuration by executing this command in ALOM CMT software:

You also can select other configurations that have been created with the LogicalDomains Manager using the ldm add-config command and stored on the systemcontroller (SC). The name you specify in the Logical Domains Manager ldm add-

sc> bootmode config=”factory-default”


config command can be used to select that configuration with the ALOM CMTbootmode command. For example, assume you stored the configuration with thename ldm-config1:

See Appendix A or the ldm man page for more information about the ldm add-config command.

Accessing the ldm(1M) Man PageThe command line interface (CLI) to the Logical Domains Manager is the ldm(1M)command. The man page ldm(1M) is part of the SUNWldm package and is installedwhen the SUNWldm package is installed. See also Appendix A for the complete textof the ldm(1M) man page.

▼ To Access the ldm(1M) Man Page● Add the directory path /opt/SUNWldm/man to the variable $MANPATH.

Restrictions on Entering Names in theCLIThe following section describes the restrictions on entering names in the LogicalDomains Manager CLI.

File Names (file) and Variable Names (var_name)■ First character must be a letter, a number, or a forward slash (/).■ Subsequent letters must be letters, numbers, or punctuation.

sc> bootmode config=”ldm-config1”


Virtual Disk Server file|device and Virtual Switchdevice Names■ Must contain letters, numbers, or punctuation.

All Other NamesThe remainder of the names, such as the logical domain name (ldom), service names(vswitch_name, service_name, vdpcs_service_name, and vcc_name), virtual networkname (if_name), and virtual disk name (disk_name), must be in the following format:

■ First character must be a letter or number.■ Subsequent characters must be letters, numbers, or any of the following

characters: ’-_+#.:;~()’

Enabling and Using BSM AuditingThe Logical Domains Manager uses the Solaris OS Basic Security Module (BSM)Auditing capability for auditing. BSM Auditing provides the means to examine thehistory of actions and events on your control domain to determine what happened.The history is kept in a log of what was done, when it was done, by whom, andwhat was affected.

If you want to use this auditing capability, this section describes how to enable,verify, disable, print output, and rotate audit logs. You can find further informationabout BSM Auditing in the Solaris 10 System Administration Guide: Security Services.

You can enable BSM Auditing in one of two ways. When you want to disableauditing, be sure you use the same method that you used in enabling. The twomethods are:

■ Use the enable-bsm.fin finish script in the Solaris Security Toolkit.

The enable-bsm.fin script is not used by default by the ldm_control-secure.driver. You must enable the finish script in your chosen driver.

■ Use the Solaris OS bsmconv(1M) command.

Here are the procedures for both methods.


▼ To Use the enable-bsm.fin Finish Script1. Copy the ldm_control-secure.driver to my-ldm.driver, where my-ldm.driver is

the name for your copy of the ldm_control-secure.driver.

2. Copy the ldm_control-config.driver to my-ldm-config.driver, where my-ldm-config.driver is the name for your copy of the ldm_control-config.driver.

3. Copy the ldm_control-hardening.driver to my-ldm-hardening.driver, wheremy-ldm-hardening.driver is the name for your copy of the ldm_control-hardening.driver.

4. Edit my-ldm.driver to refer to the new configuration and hardening drivers, my-ldm-control.driver and my-ldm-hardening.driver, respectively.

5. Edit my-ldm-hardening.driver, and remove the pound sign (#) from the followingline in the driver.

6. Execute my-ldm.driver.

7. Reboot the Solaris OS for auditing to take effect.

▼ To Use the Solaris OS bsmconv(1M) Command1. Add vs in the flags: line of the /etc/security/audit_control file.

2. Run the bsmconv(1M) command.

For more information about this command, refer to the Solaris 10 Reference ManualCollection or the man page.

3. Reboot the Solaris Operating System for auditing to take effect.

# enable-bsm.fin

# /opt/SUNWjass/bin/jass-execute -d my-ldm.driver

# /etc/security/bsmconv


▼ To Verify that BSM Auditing is Enabled1. Type:

2. Check that audit condition = auditing appears in the output.

▼ To Disable AuditingYou can disable auditing in one of two ways, depending on how you enabled it. See“Enabling and Using BSM Auditing” on page 67.

1. Do one of the following:

■ Undo the Solaris Security Toolkit hardening run which enabled BSM auditing.

■ Use the Solaris OS bsmunconv(1M) command.

2. Reboot the Solaris OS for the disabling of auditing to take effect.

▼ To Print Audit Output● Use on of the following to print BSM audit output.

■ Use the Solaris OS commands auditreduce(1M) and praudit(1M) to printaudit output. For example:

■ Use the Solaris OS praudit -x command to print XML output.

# auditconfig -getcond

# /opt/SUNWjass/bin/jass-execute -u

# /etc/security/bsmunconv

# auditreduce -c vs | praudit# auditreduce -c vs -a 20060502000000 | praudit


▼ To Rotate Audit Logs● Use the Solaris OS audit -n command to rotate audit logs.

Using ldm list SubcommandsThis section shows many of the ldm list subcommands and their output.

Syntax Usage for the ldm Subcommands

▼ To Show Syntax Usage for ldm Subcommands

● To look at syntax usage for all ldm subcommands, do the following:

CODE EXAMPLE 5-2 Syntax Usage for All ldm Subcommands

# ldm --help

Usage: ldm [--help] command [options] [properties] operands

Command(s) for each resource:

bindingslist-bindings <ldom>*

serviceslist-services <ldom>*

constraintslist-constraints (-x|--xml <ldom>) | ([-p|--parseable] <ldom>*)

deviceslist-devices [-a] [cpu | mau | memory | io]

domain ( dom )add-domain -i <file> | --input <file> | <ldom>remove-domain -a|--all | <ldom> [<ldom>]*list-domain [-l | --long] [-p | --parseable ] <ldom>start-domain -a|--all | -i <file> | --input <file> | <ldom> [<ldom>]*stop-domain [-f|--force] (-a|--all | <ldom> [<ldom>]*)


bind-domain -i <file> | --input <file> | <ldom>unbind-domain <ldom>

ioadd-io [bypass=on] <bus> <ldom>remove-io <bus> <ldom>

mauadd-mau <number> <ldom>set-mau <number> <ldom>remove-mau <number> <ldom>

memory ( mem )add-memory <number>[GMK] <ldom>set-memory <number>[GMK] <ldom>remove-memory <number>[GMK] <ldom>

reconfremove-reconf <ldom>

config ( spconfig )add-spconfig <config_name>set-spconfig <config_name>remove-spconfig <config_name>list-spconfig

variable ( var )add-variable <var_name>=<value> <ldom>set-variable <var_name>=<value> <ldom>remove-variable <var_name> <ldom>list-variable [<var_name>*] <ldom>

vconscon ( vcc )add-vconscon port-range=<x>-<y> <vcc_name> <ldom>set-vconscon port-range=<x>-<y> <vcc_name>remove-vconscon [-f|--force] <vcc_name>

vconsole ( vcons )set-vconsole [<group>@]<vcc_name> <ldom>

vcpuadd-vcpu <number> <ldom>set-vcpu <number> <ldom>remove-vcpu <number> <ldom>

vdiskadd-vdisk <disk_name> <volume_name>@<service_name> <ldom>

CODE EXAMPLE 5-2 Syntax Usage for All ldm Subcommands (Continued)


remove-vdisk [-f|--force] <disk_name> <ldom>

vdiskserver ( vds )add-vdiskserver <service_name> <ldom>remove-vdiskserver [-f|--force] <service_name>

vdpcc ( ndpsldcc )add-vdpcc <vdpcc_name> <service_name> <ldom>remove-vdpcc [-f|--force] <vdpcc_name> <ldom>

vdpcs ( ndpsldcs )add-vdpcs <vdpcs_name> <ldom>remove-vdpcs [-f|--force] <vdpcs_name>

vdiskserverdevice ( vdsdev )add-vdiskserverdevice <file|device> <volume_name>@<service_name>remove-vdiskserverdevice [-f|--force] <volume_name>@<service_name>

vnetadd-vnet [mac-addr=<num>] <if_name> <vswitch_name> <ldom>set-vnet [mac-addr=<num>] [vswitch=<vswitch_name>] <if_name> <ldom>remove-vnet [-f|--force] <if_name> <ldom>

vswitch ( vsw )add-vswitch [mac-addr=<num>] [net-dev=<device>] <vswitch_name> <ldom>set-vswitch [mac-addr=<num>] [net-dev=<device>] <vswitch_name>remove-vswitch [-f|--force] <vswitch_name>

Command aliases:Alias Command----- -------ls listls-* list-*rm-* remove-**-dom *-domain*-config *-spconfigbind bind-domaincreate add-domaindestroy remove-domainstart start-domainstop stop-domainunbind unbind-domaincancel-reconf remove-reconf

CODE EXAMPLE 5-2 Syntax Usage for All ldm Subcommands (Continued)


Flag Definitions in List OutputThe following flags might be shown in the output for a domain:

■ c = control domain■ v = virtual I/O service domain■ d = delayed reconfiguration■ t = transition■ n = normal■ s = starting or stopping

If you use the long (-l) option for the command, the flags are spelled out. If not,you see the letter abbreviation.

Examples of Various Lists

▼ To Show Software Versions

● To show the current software versions installed, do the following and you receivea listing similar to the following:

▼ To Generate a Short List

● To generate a short list for all domains, do the following:

CODE EXAMPLE 5-3 Software Versions Installed

# ldm -V

Logical Domain Manager (v 1.0)Hypervisor control protocol v 1.0

System PROM:ResetConfig v. 0.0.0 for LDoms 1.0 (full version information not yet

available)Hypervisor v. 0.0.0 for LDoms 1.0 (full version information not yet

available)OpenBoot v. 0.0.0 for LDoms 1.0 (full version information not yet

available)


▼ To Generate a Long List

● To generate a long list for all domains, do the following:

CODE EXAMPLE 5-4 Short List for All Domains

# ldm listName State Flags Cons VCPU Memory Util Uptimeprimary active -t-cv SP 4 1G 0.5% 3d 21h 7mldg1 active -t--- 5000 8 1G 23% 2m

CODE EXAMPLE 5-5 Long List for All Domains

# ldm list -lName: primaryState: activeFlags: transition,control,vio serviceOS:Util: 0.4%Uptime: 3d 21h 8mVcpu: 4

vid pid util strand0 0 1.3% 100%1 1 0.4% 100%2 2 0.1% 100%3 3 0.1% 100%


Vars: boot-device=/pci@7c0/pci@0/pci@1/pci@0,2/LSILogic,sas@2/ disk@0,0:areboot-command=boot

IO: pci@780 (bus_a)pci@7c0 (bus_b)

Vldc: primary-vldc0 [num_clients=4]Vldc: primary-vldc3 [num_clients=7]Vds: primary-vds0 [num_clients=1]

vdsdev: vol0 device=/export/home/solaris_10.diskVcc: primary-vcc0 [num_clients=1]

port-range=5000-5100Vsw: primary-vsw0 [num_clients=1]

mac-addr=0:14:4f:fa:ff:fanet-dev=e1000g0mode=prog,promisc

Vcons: SP-----------------------------------------------------------------------------


▼ To Generate a Parseable, Machine-Readable List

● To generate a parseable, machine-readable list of all domains, do the following:

Name: ldg1State: activeFlags: transitionOS:Util: 0.0%Uptime: 2mVcpu: 8

vid pid util strand0 4 1.4% 100%1 5 1.0% 100%2 6 1.0% 100%3 7 0.9% 100%4 8 77% 1005 9 78% 100%6 10 78% 100%7 11 79% 100%


Vars: boot-device=/virtual-devices@100/channel-devices@200/disk@0:anvramrc=devalias vnet0 /virtual-devices@100/channel-devices@200/network@0use-nvramrc?=true

Vdisk: vdisk0 vol0@primary-vdsservice: primary-vds0 @ primary

Vnet: vnet0mac-addr=0:14:4f:fa:f:5service: primary-vsw0 @ primary

Vcons: ldg1@primary-vcc0 [port:5000]

CODE EXAMPLE 5-6 Machine-Readable List

# ldm list -pprimary|active|-t-cv|SP|4|1073741824|0.5|335269ldg1|active|-t---|5000|8|1073741824|0.2|128

CODE EXAMPLE 5-5 Long List for All Domains (Continued)


▼ To Show the Status of a Domain

● To look at the status of a domain, for example guest domain ldg1, do thefollowing:

▼ To List a Variable

● To list a variable (for example, boot-device) for a domain (for example, ldg1),do the following:

▼ To List Bindings

● To list resources that are bound for a domain, for example ldg1, do the following:

CODE EXAMPLE 5-7 Guest Domain Status

# ldm list-domain ldg1Name State Flags Cons VCPU Memory Util Uptimeldg1 active -t--- 5000 8 1G 0.3% 2m

CODE EXAMPLE 5-8 Variable List for a Domain

# ldm list-variable boot-device ldg1boot-device=/virtual-devices@100/channel-devices@200/disk@0:a

CODE EXAMPLE 5-9 Bindings List for a Domain

# ldm list-bindings ldg1Name: ldg1State: activeFlags: transitionOS:Util: 0.3%Uptime: 5mVcpu: 8

vid pid util strand0 4 0.3% 100%1 5 0.0% 100%2 6 2.4% 100%3 7 0.1% 100%4 8 0.0% 100%5 9 0.0% 100%6 10 1.0% 100%


▼ To List Configurations

● To list logical domain configurations that have been stored on the SC, do thefollowing:

The labels to the right of the configuration name mean the following:

■ current - configuration currently being used■ next - configuration to be used at the next power cycle

7 11 0.4% 100%Memory: 1G


Vars: boot-device=/virtual-devices@100/channel-devices@200/disk@0:anvramrc=devalias vnet0 /virtual-devices@100/channel-devices@200/network@0use-nvramrc?=true

Vldcc: vldcc0 [Domain Services]service: primary-vldc0 @ primary[LDC: 0x0]

Vdisk: vdisk0 vol0@primary-vds0service: primary-vds0 @ primary[LDC: 0x1]

Vnet: vnet0mac-addr=0:14:4f:fa:f:55service: primary-vsw0 @ primary[LDC: 0x2]

Vcons: [via LDC:3]ldg1@primary-vcc0 [port:5000]

CODE EXAMPLE 5-10 Configurations List

# ldm list-configfactory-default [current]initial [next]

CODE EXAMPLE 5-9 Bindings List for a Domain (Continued)


▼ To List Devices

● To list all server resources, bound and unbound, do the following:

CODE EXAMPLE 5-11 List of All Server Resources

# ldm list-devices -avCPU:

vCPUID %FREE0 0%1 0%2 0%3 0%4 0%5 0%6 0%7 0%8 0%9 0%10 0%11 0%12 100%13 100%14 100%15 100%16 100%17 100%18 100%19 100%20 100%21 10022 100%23 100%24 100%25 100%26 100%27 100%28 100%29 100%30 100%31 100%

MAU:Free MA-Units:cpuset (0, 1, 2, 3)cpuset (4, 5, 6, 7)cpuset (8, 9, 10, 11)cpuset (12, 13, 14, 15)


cpuset (16, 17, 18, 19)cpuset (20, 21, 22, 23)cpuset (24, 25, 26, 27)cpuset (28, 29, 30, 31)

Bound MA-Units:

Memory:Available mblocks:PADDR SIZE0x84800000 6072M (0x17b800000)

Bound mblocks:PADDR SIZ0x0 512K (0x80000)0x80000 1536K (0x180000)0x4000000 1G (0x40000000)0x200000 62M (0x3e00000)0x84000000 8M (0x800000)0x44000000 1G (0x40000000)

Total Memory 8G

I/O Devices:Free Devices:

Bound Devices:pci@780 (bus_a)pci@7c0 (bus_b)

CODE EXAMPLE 5-11 List of All Server Resources (Continued)


▼ To List Services

● To list the services that are available, do the following:

Listing ConstraintsTo the Logical Domains Manager, constraints are one or more resources you want tohave assigned to a particular domain. You either receive all the resources you ask tobe added to a domain or you get none of them, depending upon the availableresources. The list-constraints subcommand lists those resources yourequested assigned to the domain.

▼ To List Constraints for All Domains

● To list constraints for all domains, do the following:

CODE EXAMPLE 5-12 Services List

# ldm list-servicesVldc: primary-vldc0Vldc: primary-vldc3Vds: primary-vds0



mac-addr=0:14:4f:fa:ff:fanet-dev=e1000g0mode=prog,promisc

CODE EXAMPLE 5-13 Constraints List for All Domains

# ldm list-constraintsName: primaryVcpu: 4Memory: 1GVars: boot-device=/pci@7c0/pci@0/pci@1/pci@0,2/LSILogic,sas@2/disk@0,0:a

reboot-command=bootIO: pci@780

pci@7c0Vldc: primary-vldc0Vldc: primary-vldc3Vds: primary-vds0


▼ To List Constraints in XML Format

1. To list constraints in XML format for a particular domain (ldg1 in this example),do the following:



mac-addr=0:14:4f:fa:ff:fanet-dev=e1000g0

-----------------------------------------------------------------------------Name: ldg1Vcpu: 8Memory: 1GVars: boot-device=/virtual-devices@100/channel-devices@200/disk@0:a

nvramrc=devalias vnet0 /virtual-devices@100/channel-devices@200/network@0

use-nvramrc?=trueVdisk: vdisk0 vol0@primary-vds0

service: primary-vds0Vnet: vnet0

mac-addr=0:14:4f:fa:f:55service: primary-vsw0

CODE EXAMPLE 5-14 Constraints for a Domain in XML Format

# ldm list-constraints -x ldg1<?xml version="1.0"?><LDM_interface version="1.0">

<data version="1.0"><ldom_info>

<ldom_name>ldg1</ldom_name></ldom_info><cpu>

<number>8</number></cpu><memory>

<size>1024M</size></memory><network>

<vnet_name>vnet0</vnet_name><service_name>primary-vsw0</service_name

</network>

CODE EXAMPLE 5-13 Constraints List for All Domains (Continued)


▼ To List Constraints in a Machine-Readable Format

● To list constraints for all domains in a parseable format, do the following:

<disk><vdisk_name>vdisk0</vdisk_name><service_name>primary-vds0</service_name><vol_name>vol0</vol_name>

</disk><var>

<name>boot-device</name><value>/virtual-devices@100/channel-devices@200/disk@0:a disknet</value

</var><var>

<name>nvramrc</name><value>devalias vnet0 /virtual-devices@100/channel-devices@200/network@0</value>

</var><var>

<name>use-nvramrc?</name><value>true</value>

</var></data>

</LDM_interface>

CODE EXAMPLE 5-15 Constraints for All Domains in a Machine-Readable Format

# ldm list-constraints -pName: primaryVcpu: 4Memory: 1073741824Vars:boot-device=/pci@7c0/pci@0/pci@1/pci@0,2/LSILogic,sas@2/disk@0,0:areboot-command=bootIO:pci@780pci@7c0Vldc: primary-vldc0Vldc: primary-vldc3Vds: primary-vds0


port-range=5000-5100

CODE EXAMPLE 5-14 Constraints for a Domain in XML Format (Continued)


Using Console GroupsThe virtual network terminal server daemon, vntsd(1M), enables you to provideaccess for multiple domain consoles using a single TCP port. At the time of domaincreation, the Logical Domains Manager assigns a unique TCP port to each consoleby creating a new default group for that domain’s console. The TCP port is thenassigned to the console group as opposed to the console itself. The console can bebound to an existing group using the set-vcons subcommand.

▼ To Use Console Groups1. Bind the consoles for the domains into one group.

The following example shows binding the console for three different domains (ldg1,ldg2, and ldg3) to the same console group (group1).

Vsw: primary-vsw0mac-addr=0:14:4f:fa:ff:fanet-dev=e1000g0

-----------------------------------------------------------------------------Name: ldg1Vcpu: 8Memory: 1073741824Vars:boot-device=/virtual-devices@100/channel-devices@200/disk@0:anvramrc=devalias vnet0 /virtual-devices@100/channel-devices@200/network@0use-nvramrc?=trueVdisk: vdisk0 vol0@primary-vds0

service: primary-vds0Vnet: vnet0

mac-addr=0:14:4f:fa:f:55service: primary-vsw0

# ldm set-vcons group1@primary-vcc0 ldg1# ldm set-vcons group1@primary-vcc0 ldg2# ldm set-vcons group1@primary-vcc0 ldg3

CODE EXAMPLE 5-15 Constraints for All Domains in a Machine-Readable Format (Continued)


2. Connect to the associated TCP port (localhost at port 5000 in this example).

You are prompted to select one of the domain consoles.

3. List the domains within the group by selecting l (list).

Note – To re-assign the console to a different group or vcc instance, the domainmust be unbound; that is, it has to be in the inactive state. Refer to the Solaris 10 OSvntsd(1M) man page for more information on configuring and using SMF tomanage vntsd and using console groups.

Configuring Virtual Switch and ServiceDomain for NAT and RoutingThe virtual switch (vswitch) is a layer-2 switch, that also can be used as a networkdevice in the service domain. The virtual switch can be configured to act only as aswitch between the virtual network (vnet) devices in the various logical domainsbut with no connectivity to a network outside the box through a physical device. Inthis mode, plumbing the vswitch as a network device and enabling IP routing inthe service domain, enables virtual networks to communicate outside the box usingthe service domain as a router. This mode of operation is very essential to provideexternal connectivity to the domains when the physical network adapter is notGLDv3-compliant.

The advantages of this configuration are:

■ The virtual switch does not need to use a physical device directly and can provideexternal connectivity even when the underlying device is not GLDv3-compliant.

■ The configuration can take advantage of the IP routing and filtering capabilities ofthe Solaris OS.

# telnet localhost 5000primary-vnts-group1: h, l, c{id}, n{name}, q:

primary-vnts-group1: h, l, c{id}, n{name}, q: lDOMAIN ID DOMAIN NAME DOMAIN STATE0 ldg1 online1 ldg2 online2 ldg3 online


▼ To Set Up the Virtual Switch to Provide ExternalConnectivity to Domains

1. Create a virtual switch with no associated physical device. If assigning an address,ensure that the virtual switch has an unique MAC address.

2. Plumb the virtual switch as a network device in addition to the physical networkdevice being used by the domain.

See “To Configure the Virtual Switch as the Primary Interface” on page 43 for moreinformation about plumbing the virtual switch.

3. Configure the virtual switch device for DHCP, if needed.

See “To Configure the Virtual Switch as the Primary Interface” on page 43 for moreinformation about configuring the virtual switch device for DHCP.

4. Create the /etc/dhcp.vsw file, if needed.

5. Configure IP routing in the service domain, and set up required routing tables inall the domains.

For information about how to do this, refer to the section on “Packet Forwardingand Routing on IPv4 Networks” in Chapter 5 “Configuring TCP/IP NetworkServices and IPv4 Administration” in the System Administration Guide: IP Services inthe Solaris Express System Administrator Collection.

Using ZFS With Virtual DisksThe following topics regarding using the Zettabyte File System (ZFS) with virtualdisks on logical domains are described in this section:

■ “Creating a Virtual Disk on Top of a ZFS Volume” on page 86■ “Using ZFS Over a Virtual Disk” on page 87■ “Using ZFS for Boot Disks” on page 89

ldm add-vsw [mac-addr=xx:xx:xx:xx:xx:xx] primary-vsw0 primary


Creating a Virtual Disk on Top of a ZFS VolumeThe following procedure describes how to create a ZFS volume in a service domainand make that volume available to other domains as a virtual disk. In this example,the service domain is the same as the control domain and is named primary. Theguest domain is named ldg1 as an example. The prompts in each step show inwhich domain to run the command.

▼ To Create a Virtual Disk on Top of a ZFS Volume

1. Create a ZFS storage pool (zpool).

2. Create a ZFS volume.

3. Verify that the zpool (tank1 in this example) and ZFS volume (tank/myvol inthis example) have been created.

4. Configure a service exporting tank1/myvol as a virtual disk.

5. Add the exported disk to another domain (ldg1 in this example).

primary# zpool create -f tank1 c2t42d1

primary# zfs create -V 100m tank1/myvol

primary# zfs listNAME USED AVAIL REFER MOUNTPOINTtank1 100M 43.0G 24.5K /tank1tank1/myvol 22.5K 43.1G 22.5K -

primary# ldm add-vdsdev /dev/zvol/rdsk/tank1/myvol zvol@primary-vds0

primary# ldm add-vdisk vzdisk zvol@primary-vds0 ldg2


6. On the other domain (ldg1 in this example), start the domain and ensure that thenew virtual disk is visible (you might have to run the devfsadm command). Inthis example, the new disk appears as /dev/rdsk/c2d2s0.

Note – A ZFS volume is exported to a logical domain as a virtual disk slice.Therefore, it is not possible to either use the format command or install the SolarisOS to a zvol-backed virtual disk.

Using ZFS Over a Virtual DiskThe following procedure shows how to directly use ZFS from a domain on top of avirtual disk. You can create ZFS pools, file systems, and volumes over the top ofvirtual disks with the Solaris 10 OS zpool(1M) and zfs(1M) commands. Althoughthe storage backend is different (virtual disks instead of physical disks), there is nochange to the usage of ZFS.

Additionally, if you have an already existing ZFS file system, then you can export itfrom a service domain to use it in another domain.

In this example, the service domain is the same as the control domain and is namedprimary. The guest domain is named ldg1 as an example. The prompts in eachstep show in which domain to run the command.

ldg1# newfs /dev/rdsk/c2d2s0newfs: construct a new file system /dev/rdsk/c2d2s0: (y/n)? yWarning: 4096 sector(s) in last cylinder unallocatedWarning: 4096 sector(s) in last cylinder unallocated/dev/rdsk/c2d2s0: 204800 sectors in 34 cylinders of 48 tracks, 128sectors100.0MB in 3 cyl groups (14 c/g, 42.00MB/g, 20160 i/g) super-blockbackups(for fsck -F ufs -o b=#) at: 32, 86176, 172320,

ldg1# mount /dev/dsk/c2d2s0 /mnt

ldg1# df -h /mntFilesystem size used avail capacity Mounted on/dev/dsk/c2d2s0 93M 1.0M 82M 2% /mnt


▼ To Use ZFS Over a Virtual Disk

1. Create a zpool (tank in this example), and then verify that it has been created.

2. Create a ZFS file system (tank/test in this example), and then verify that it hasbeen created. In this example, the file system is created on top of disk c2t42d0 byrunning the following command on the service domain:

3. Export the ZFS pool (tank in this example).

4. Configure a service exporting the physical disk c2t42d0s2 as a virtual disk.

5. Add the exported disk to another domain (ldg1 in this example).

primary# zpool create -f tank c2t42d0primary# zpool listNAME SIZE USED AVAIL CAP HEALTH ALTROOTtank 43.8G 108K 43.7G 0% ONLINE -

primary# zfs create tank/testprimary# zfs listNAME USED AVAIL REFER MOUNTPOINTtank 106K 43.1G 25.5K /tanktank/test 24.5K 43.1G 24.5K /tank/test

primary# zpool export tank

primary# ldm add-vdsdev /dev/rdsk/c2t42d0s2 volz@primary-vds0

primary# ldm add-vdisk vdiskz volz@primary-vds0 ldg1


6. On the other domain (ldg1 in this example), start the domain and make sure thenew virtual disk is visible (you might have to run the devfsadm command), andthen import the ZFS pool.

The ZFS pool (tank/test in this example) is now imported and usable fromdomain ldg1.

Using ZFS for Boot DisksA ZFS file system with a large file can be used as the virtual disks in logicaldomains.

Note – A ZFS file system requires more memory in the service domain. Take thisinto account when configuring the service domain.

ZFS enables:

■ Cloning a file system quickly■ Using the clones to provision additional domains■ Net installing to disk on files and files within a ZFS file system

▼ To Use ZFS for Boot Disks

The following procedure can be used to create ZFS disks for logical domains, andalso snapshot and clone them for other domains.

1. On the primary domain, reserve a entire disk or slice for use as the storage forthe ZFS pool. Step 2 uses slice 5 of a disk.

ldg1# zpool import tankldg1# zpool listNAME SIZE USED AVAIL CAP HEALTH ALTROOTtank 43.8G 214K 43.7G 0% ONLINE -

ldg1# zfs listNAME USED AVAIL REFER MOUNTPOINTtank 106K 43.1G 25.5K /tanktank/test 24.5K 43.1G 24.5K /tank/test

ldg1# df -hl -F zfsFilesystem size used avail capacity Mounted ontank 43G 25K 43G 1% /tanktank/test 43G 24K 43G 1% /tank/test


2. Create a ZFS pool; for example, ldomspool.

3. Create a ZFS file system for the first domain (ldg1 in this example).

4. Create a file to be the disk for this domain.

5. Specify the file as the device to use when creating the domain.

6. Boot domain ldg1 and net install to vdisk1. This file functions as a full disk andcan have partitions; that is, separate partitions for root, usr, home, dump, andswap.

7. Once the installation is complete, snapshot the file system.

Note – Doing the snapshot before the domain reboots does not save the domainstate as part of the snapshot or any other clones created from the snapshot.

8. Create additional clones from the snapshot and use it as the boot disk for otherdomains (ldg2 and ldg3 in this example).

# zpool create ldomspool /dev/dsk/c0t0d0s5

# zfs create ldomspool/ldg1

# mkfile 1G /ldomspool/ldg1/bootdisk

# ldm add-vdsdev /ldomspool/ldg1/bootdisk vol1@primary-vds0# ldm add-vdisk vdisk1 vol1@primary-vds0 ldg1

# zfs snapshot ldomspool/ldg1@initial

# zfs clone ldomspool/ldg1@initial ldomspool/ldg2# zfs clone ldomspool/ldg1@initial ldomspool/ldg3


9. Verify that everything was created successfully.

Note – Ensure that the ZFS pool has enough space for the clones that are beingcreated. ZFS uses copy-on-write and uses space from the pool only when the blocksin the clone are modified. Even after booting the domain, the clones only use a smallpercentage needed for the disk (since most of the OS binaries are the same as thosein the initial snapshot).

Using Volume Managers in a LogicalDomains EnvironmentThe following topics are described in this section:

■ “Using Virtual Disks on Top of Volume Managers” on page 91■ “Using Volume Managers on Top of Virtual Disks” on page 94

Using Virtual Disks on Top of Volume ManagersAny Zettabyte File System (ZFS), Solaris™ Volume Manager (SVM), or VeritasVolume Manager (VxVM) volume can be exported from a service domain to a guestdomain as a virtual disk. The exported volume appears as a virtual disk with asingle slice (s0) into the guest domain.

Note – The remainder of this discussion uses an SVM volume as an example.However, the discussion also applies to ZFS and VxVM volumes.

For example, if a service domain exports the SVM volume /dev/md/dsk/d0 todomain1 and domain1 sees that virtual disk as /dev/dsk/c0d2*, then domain1only has a s0 device; that is, /dev/dsk/c0d2s0.

# zfs listNAME USED AVAIL REFER MOUNTPOINTldomspool 1.07G 2.84G 28.5K /ldomspoolldomspool/ldg1 1.03G 2.84G 1.00G /ldomspool/ldg1ldomspool/ldg1@initial 23.0M - 1.00G -ldomspool/ldg2 23.2M 2.84G 1.00G /ldomspool/ldg2ldomspool/ldg3 21.0M 2.84G 1.00G /ldomspool/ldg3


The virtual disk in the guest domain (for example, /dev/dsk/c0d2s0) is directlymapped to the associated volume (for example, /dev/md/dsk/d0), and data storedonto the virtual disk from the guest domain are directly stored onto the associatedvolume with no extra metadata. So data stored on the virtual disk from the guestdomain can also be directly accessed from the service domain through the associatedvolume.

Examples:

■ If the SVM volume d0 is exported from the primary domain to domain1, thenthe configuration of domain1 requires some extra steps:

■ After domain1 has been bound and started, the exported volume appears as/dev/dsk/c0d2s0, for example, and you can use it:

■ After domain1 has been stopped and unbound, data stored on the virtual diskfrom domain1 can be directly accessed from the primary domain through SVMvolume d0:

Note – Such a virtual disk cannot be seen by the format(1M) command, cannot bepartitioned, and cannot be used as an installation disk for the Solaris OS. See “Someformat(1M) Command Options Do Not Work With Virtual Disks” on page 63 formore information about this topic.

primary# metainit d0 3 1 c2t70d0s6 1 c2t80d0s6 1 c2t90d0s6primary# ldm add-vdsdev /dev/md/dsk/d0 vol3@primary-vds0primary# ldm add-vdisk vdisk3 vol3@primary-vds0 domain1

domain1# newfs /dev/rdsk/c0d2s0domain1# mount /dev/dsk/c0d2s0 /mntdomain1# echo test-domain1 > /mnt/file

primary# mount /dev/md/dsk/d0 /mntprimary# cat /mnt/filetest-domain1


Note on Using Virtual Disks on Top of SVM

When a RAID or mirror SVM volume is used as a virtual disk by another domain,and if there is a failure on one of the components of the SVM volume, then therecovery of the SVM volume using the metareplace command or using a hot sparedoes not start, and the metastat command sees the volume as resynchronizing, butthe resynchronization does not progress.

For example, /dev/md/dsk/d0 is a RAID SVM volume which is exported as avirtual disk to another domain and d0 is configured with some hot-spare devices. Ifa component of d0 fails, SVM replaces the failing component with a hot spare andresynchronizes the SVM volume, but the resynchronization does not start, and thevolume is reported as resynchronizing, but the resynchronization does not progress:

In such a situation, the domain using the SVM volume as a virtual disk has to bestopped and unbound to complete the resynchronization. Then the SVM volume canbe resynchronized using the metasync command.

Note on Using Virtual Disks When VxVM Is Installed

When the Veritas Volume Manager (VxVM) is installed on your system, you have toensure that Veritas Dynamic Multipathing (DMP) is not enabled on the physicaldisks or partitions you want to export as virtual disks. Otherwise, you receive anerror in /var/adm/messages while binding a domain that uses such a disk:

# metastat d0d0: RAID

State: ResyncingHot spare pool: hsp000Interlace: 32 blocksSize: 20097600 blocks (9.6 GB)

Original device:Size: 20100992 blocks (9.6 GB)

Device Start Block Dbase State Relocc2t2d0s1 330 No Okay Yesc4t12d0s1 330 No Okay Yes/dev/dsk/c10t600C0FF0000000000015153295A4B100d0s1 330 No Resyncing Yes

# metasync d0

vd_setup_vd(): ldi_open_by_name(/dev/dsk/c4t12d0s2) = errno 16vds_add_vd(): Failed to add vdisk ID 0


You can check if Veritas DMP is enabled by checking multipathing information inthe output of the command vxdisk list; for example:

If Veritas DMP is enabled on a disk or a slice that you want to export as a virtualdisk, then you must disable DMP using the vxdmpadm command. For example:

Using Volume Managers on Top of Virtual DisksThis section describes the following situations in the Logical Domains environment:

■ “Using ZFS on Top of Virtual Disks” on page 94■ “Using SVM on Top of Virtual Disks” on page 94■ “Using VxVM on Top of Virtual Disks” on page 95

Using ZFS on Top of Virtual Disks

Any virtual disk can be used with ZFS. A ZFS storage pool (zpool) can be importedin any domain that sees all the storage devices that are part of this zpool, regardlessof whether the domain sees all these devices as virtual devices or real devices.

Using SVM on Top of Virtual Disks

Any virtual disk can be used in the SVM local disk set. For example, a virtual diskcan be used for storing the SVM meta database (metadb) of the local disk set or forcreating SVM volumes in the local disk set.

# vxdisk list Disk_3Device: Disk_3devicetag: Disk_3type: autoinfo: format=noneflags: online ready private autoconfig invalidpubpaths: block=/dev/vx/dmp/Disk_3s2 char=/dev/vx/rdmp/Disk_3s2guid: -udid: SEAGATE%5FST336753LSUN36G%5FDISKS%5F3032333948303144304E0000site: -Multipathing information:numpaths: 1c4t12d0s2 state=enabled

# vxdmpadm -f disable path=/dev/dsk/c4t12d0s2


Currently, you can only use virtual disks with the local disk set, but not with anyshared disk set (metaset). Virtual disks can not be added into a SVM shared diskset. Trying to add a virtual disk into a SVM shared disk set fails with an error similarto this:

Using VxVM on Top of Virtual Disks

VxVM does not currently work with virtual disks. The VxVM software can beinstalled into a domain having virtual disks but VxVM is unable to see any of thevirtual disks available.

Configuring IPMP in a Logical DomainsEnvironmentInternet Protocol Network Multipathing (IPMP) provides fault-tolerance and loadbalancing across multiple network interface cards. By using IPMP, you can configureone or more interfaces into an IP multipathing group. After configuring IPMP, thesystem automatically monitors the interfaces in the IPMP group for failure. If aninterface in the group fails or is removed for maintenance, IPMP automaticallymigrates, or fails over, the failed interface’s IP addresses. In a Logical Domainsenvironment, either the physical or virtual network interfaces can be configured forfailover using IPMP.

Configuring Virtual Network Devices into anIPMP Group in a Logical DomainA logical domain can be configured for fault-tolerance by configuring its virtualnetwork devices to an IPMP group. When setting up an IPMP group with virtualnetwork devices, in a active-standby configuration, set up the group to use probe-based detection. Link-based detection and failover currently are not supported forvirtual network devices in Logical Domains 1.0 software.

The following diagram shows two virtual networks (vnet1 and vnet2) connectedto separate virtual switch instances (vsw0 and vsw1) in the service domain, which,in turn, use two different physical interfaces (e1000g0 and e1000g1). In the event

# metaset -s test -a c2d2metaset: domain1: test: failed to reserve any drives


of a physical interface failure, the IP layer in LDom_A detects failure and loss ofconnectivity on the corresponding vnet through probe-based detection, andautomatically fails over to the secondary vnet device.

FIGURE 5-1 Two Virtual Networks Connected to Separate Virtual Switch Instances

Further reliability can be achieved in the logical domain by connecting each virtualnetwork device (vnet0 and vnet1) to virtual switch instances in different servicedomains (as shown in the following diagram). Two service domains (Service_1and Service_2) with virtual switch instances (vsw1 and vsw2) can be set up usinga split-PCI configuration. In this case, in addition to network hardware failure,LDom_A can detect virtual network failure and trigger a failover following a servicedomain crash or shutdown.

FIGURE 5-2 Each Virtual Network Device Connected to Different Service Domains

Refer to the Solaris 10 System Administration Guide: IP Services for more informationabout how to configure and use IPMP groups.

LDom_A

IPMP GRP

vnet0 vsw0 e1000g0

e1000g1vnet1 vsw1

Service LDom

LDom_A

IPMP GRP

vnet0 vsw0 e1000g0

e1000g1 vnet1vsw1

Service_2Service_1


Configuring and Using IPMP in the ServiceDomainNetwork failure detection and recovery can also be set up in a Logical Domainsenvironment by configuring the physical interfaces in the service domain into aIPMP group. To do this, configure the virtual switch in the service domain as anetwork device, and configure the service domain itself to act as an IP router. (Referto the Solaris 10 System Administration Guide: IP Services for information on settingup IP routing).

Once configured, the virtual switch sends all packets originating from virtualnetworks (and destined for an external machine), to its IP layer, instead of sendingthe packets directly via the physical device. In the event of a physical interfacefailure, the IP layer detects failure and automatically re-routes packets through thesecondary interface.

Since the physical interfaces are directly being configured into a IPMP group, thegroup can be set up for either link-based or probe-based detection. The followingdiagram shows two network interfaces (e1000g0 and e1000g1) configured as partof an IPMP group. The virtual switch instance (vsw0) has been plumbed as anetwork device to send packets to its IP layer.

FIGURE 5-3 Two Network Interfaces Configured as Part of IPMP Group

LDom_A

IPMP GRPvnet0 vsw0

e1000g0 e1000g1

Service LDom

IP (routing)



APPENDIX A

Reference Section for the ldm(1M)Command

The command-line interface (CLI) to the Logical Domains Manager is the ldm(1M)command. To use this CLI, you must have the Logical Domains Manager daemon,ldmd, running. This appendix provides the ldm(1M) reference material found in theldm(1M) man page that is included with the Logical Domains Manager softwarepackage (SUNWldm).

To access the man page, be sure you have added the directory path/opt/SUNWldm/man to the variable $MANPATH.

99


ldm(1M)

NAME ldm - command-line interface for the Logical Domains Manager

SYNOPSIS ldm or ldm --help [ subcommand]

ldm -V

ldm list [-l] [-p]

ldm add-domain (-i file | ldom)

ldm remove-domain (-a | ldom...)

ldm list-domain [-l] [-p] [ldom...]

ldm add-vcpu number ldom

ldm set-vcpu number ldom

ldm remove-vcpu number ldom

ldm add-mau number ldom

ldm set-mau number ldom

ldm remove-mau number ldom

ldm add-memory size[unit] ldom

ldm set-memory size[unit] ldom

ldm remove-memory size[unit] ldom

ldm remove-reconf ldom

ldm add-io [bypass=on] bus ldom

ldm remove-io bus ldom

ldm add-vswitch [mac-addr=num] [net-dev=device] vswitch_name ldom

ldm set-vswitch [mac-addr=num] [net-dev=device] vswitch_name

ldm remove-vswitch [-f] vswitch_name

ldm add-vnet [mac-addr=num] if_name vswitch_name ldom

ldm set-vnet [mac-addr=num] [vswitch_name] if_name ldom

ldm remove-vnet [-f] if_name ldom

ldm add-vdiskserver service_name ldom

ldm remove-vdiskserver [-f] service_name

ldm add-vdiskserverdevice file|device volume_name@service_name

System Administration 101

ldm(1M)

ldm remove-vdiskserverdevice [-f] volume_name@vds_name

ldm add-vdisk disk_name volume_name@service_name ldom

ldm remove-vdisk [-f] disk_name ldom

ldm add-vdpcs vdpcs_service_name ldom

ldm remove-vdpcs vdpcs_service_name

ldm add-vdpcc vdpcc_name vdpcs_service_name ldom

ldm remove-vdpcc vdpcc_name ldom

ldm add-vconscon port-range=x-y vcc_name ldom

ldm set-vconscon port-range=x-y vcc_name

ldm remove-vconscon [-f] vcc_name

ldm set-vconsole [group@]vcc_name ldom

ldm add-variable var_name=value ldom

ldm set-variable var_name=value ldom

ldm remove-variable var_name ldom

ldm list-variable var_name... [ldom...]

ldm start-domain (-a | -i file | ldom...)

ldm stop-domain [-f] (-a | ldom...)

ldm bind-domain (-i file | ldom)

ldm unbind-domain ldom

ldm list-bindings [ldom...]

ldm add-config config_name

ldm set-config config_name

ldm set-config factory-default

ldm remove-config config_name

ldm list-config

ldm list-constraints (-x ldom) | ([-p] [ldom...])

ldm list-devices [-a] [cpu | mau | memory | io]

ldm list-services [ldom...]

102 Logical Domains (LDoms) 1.0 Manager • Last Revised March 26, 2007

ldm(1M)

DESCRIPTION The Logical Domains Manager (ldm) is used to create and manage logical domains.There can be only one Logical Domains Manager per server. The Logical DomainsManager runs on the control domain, which is the initial domain created by thesystem controller (and named primary).

A logical domain is a discrete logical grouping with its own operating system,resources, and identity within a single computer system. Each logical domain canbe created, destroyed, reconfigured, and rebooted independently, without requiringa power cycle of the server. You can run a variety of applications in different logicaldomains and keep them independent for security purposes.

All logical domains are the same except for the roles that you specify for them.There are several roles that logical domains can perform:

SUBCOMMANDSUMMARIES

Following is a list of the supported subcommands with their descriptions andrequired authorization. For information about setting up authorization for useraccounts, refer to “Creating Authorization and Profiles for User Accounts” in theLogical Domains (LDoms) 1.0 Administration Guide.

Control domain Creates and manages other logical domains and services bycommunicating with the hypervisor.

Service domain Provides services to other logical domains, such as a virtual networkswitch or a virtual disk service.

I/O domain Has direct ownership of and direct access to physical I/O devices, suchas a network card in a PCI Express controller. Shares the devices to otherdomains in the form of virtual devices. You can have a maximum of twoI/O domains, one of which also must be the control domain.

Guest domain Uses services from the I/O and service domains and is managed by thecontrol domain.

add-resource Adds a resource to an existing logicaldomain. See RESOURCES for resourcedefinitions.

solaris.ldoms.write

add-config Adds a logical domain configuration tothe system controller (SC).

solaris.ldoms.write

add-domain Creates a logical domain. solaris.ldoms.write

bind-domain Binds resources to a created logicaldomain.

solaris.ldoms.write

remove-reconf Cancels delayed reconfigurationoperations for a logical domain.

solaris.ldoms.write

remove-domain Deletes a logical domain. solaris.ldoms.write


ldm(1M)

Note – Not all subcommands are supported on all resources types.

list-type Lists server resources, includingbindings, constraints, devices, services,and configurations for logical domains.

solaris.ldoms.read

list-domain Lists logical domains and their states. solaris.ldoms.read

list-variable Lists variables for logical domains. solaris.ldoms.read

remove-resource Removes a resource from an existinglogical domain. See RESOURCES forresource definitions.

solaris.ldoms.write

remove-config Removes a logical domain configurationfrom the system controller.

solaris.ldoms.write

remove-variable Removes one or more variables from anexisting logical domain.

solaris.ldoms.write

set-resource Specifies a resource for an existinglogical domain. This can be either aproperty change or a quantity change.This represents a quantity change whenapplied to the resources vcpu, memory,or mau. For a quantity change, thesubcommand becomes a dynamicreconfiguration (DR) operation wherethe quantity of the specified resource isassigned to the specified logical domain.If there are more resources assigned tothe logical domain than are specified inthis subcommand, some are removed. Ifthere are fewer resources assigned to thelogical domain than are specified in thissubcommand, some are added. SeeRESOURCES for resource definitions.

solaris.ldoms.write

set-config Specifies a logical domain configurationto use.

solaris.ldoms.write

set-variable Sets one or more variables for anexisting logical domain.

solaris.ldoms.write

start-domain Starts one or more logical domains. solaris.ldoms.write

stop-domain Stops one or more running logicaldomains.

solaris.ldoms.write

unbind-domain Unbinds or releases resources from alogical domain.

solaris.ldoms.write


ldm(1M)

ALIASES The following aliases for the subcommands are supported. The short form is in thefirst column and the long form in the second column. The aliases apply regardlessof the action performed. For example, because dom is an alias for domain, thenstart-dom, stop-dom, bind-dom, and the others are all valid.

Note – In the syntax and examples in the remainder of this man page, the shortform of the subcommands are used.

RESOURCES The following resources are supported:

config spconfig

dom domain

ls list

mem memory

rm remove

var variable

vcc vconscon

vcons vconsole

vdpcc ndpsldcc

vdpcs ndpsldcs

vds vdiskserver

vdsdev vdiskserverdevice

vsw vswitch

io I/O devices, such as internal disks and PCI-Express (PCI-E)controllers and their attached adapters and devices.

mau Modular arithmetic unit, a cryptographic unit for a supportedserver.

mem, memory Memory – default size in bytes, or specify gigabytes (G),kilobytes (K), or megabytes (M). Virtualized memory of theserver that can be allocated to guest domains.

vcc, vconscon Virtual console concentrator service with a specific range of TCPports to assign to each guest domain at the time it is created.

vcons, vconsole Virtual console for accessing system level messages. Aconnection is achieved by connecting to the vconscon servicein the control domain at a specific port.


ldm(1M)

LIST TYPES The following list types are supported:

OPTIONS The following options are supported. The short option is first, the long option issecond, followed by the description of the option.

vcpu Virtual CPUs represent each of the cores of a server. Forexample, an 8-core Sun Fire T2000 server has 32 virtual CPUsthat can be allocated between the logical domains.

vdisk Virtual disks are generic block devices backed by different typesof physical devices, volumes, or files. A virtual disk is notsynonymous with a SCSI disk and, therefore, excludes the targetID (tN) in the disk label. Virtual disks in a logical domain havethe following format: cNdNsN, where cN is the virtualcontroller, dN is the virtual disk number, and sN is the slice.

vds, vdiskserver Virtual disk server allows you to import virtual disks into alogical domain.

vdsdev,vdiskserverdevice

Device exported by the virtual disk server. The device can be anentire disk, a slice on a disk, a file, or a disk volume.

vdpcc Virtual data plane channel client. Only of interest in a NetraData Plane Software (NDPS) environment.

vdpcs Virtual data plane channel service. Only of interest in a NetraData Plane Software (NDPS) environment.

vnet Virtual network device implements a virtual Ethernet deviceand communicates with other vnet devices in the system usingthe virtual network switch (vsw).

vsw, vswitch Virtual network switch that connects the virtual networkdevices to the external network and also switches packetsbetween them.

bindings Lists the resources bound to a logical domain.

constraints Lists the constraints used to create a logical domain.

devices Lists all free devices for the server.

services Lists the services exported or consumed by a logical domain.

config Lists the logical domain configurations stored on the system controller.

ldm --help Displays usage statements.

-a --all Operates on all of the operand types.

-f --force Attempts to force an operation.


ldm(1M)

PROPERTIES The following property types are supported:

SUBCOMMANDUSAGE

This section contains descriptions of every supported command line interface (CLI)operation; that is, every subcommand and resource combination.

ADD ANDREMOVE

DOMAINS

Add Logical Domain This subcommand adds a logical domain by specifying a logical domain name orby using an XML configuration file.

Where:

■ -i file specifies the XML configuration file to use in creating the logical domain.

■ ldom specifies the name to use for the logical domain.

Remove LogicalDomains

This subcommand removes one or more logical domains.

Where:

■ -a option means delete all logical domains except the control domain.

■ ldom... specifies one or more logical domains to be deleted.

-i file --input file Specifies the XML configuration file to use in creating alogical domain.

-l --long Generates a long listing.

-p --parseable Generates a machine-readable version of the output.

-x --xml Specifies that an XML file containing the constraints for thelogical domain be written to standard output (stdout). Canbe used as backup file.

-V --version Displays version information.

mac-addr= Defines a MAC address. The number must be in standard octetnotation; for example, 80:00:33:55:22:66.

net-dev= Defines the path name of the actual network device.

port-range= Defines a range of TCP ports.

ldm add-dom (-i file | ldom)

ldm rm-dom (-a | ldom...)


ldm(1M)

CPU ANDMEMORY

(ReconfigurationOperations)

There are three types of reconfiguration operations:

■ Configuration mode – The Logical Domains Manager runs in configurationmode when the server is in the factory-default configuration. In this mode, noreconfiguration operations take effect until after the configuration is saved to thesystem controller using the add-config subcommand and until thatconfiguration is instantiated by rebooting the control domain.

■ Delayed reconfiguration operations – Any add or remove operations on activelogical domains, except add-vcpu, set-vcpu, rm-vcpu, add-vdsdev, andrm-vdsdev subcommands, are considered delayed reconfiguration operations.In addition, the set-vsw subcommand on an active logical domain isconsidered a delayed reconfiguration operation. Delayed reconfigurationoperations take effect after the next reboot of the OS or stop and start of thelogical domain if no OS is running.

■ Dynamic reconfiguration operations – Reconfiguration operations on domains ina bound or inactive state and add-vcpu and rm-vcpu operations on domains inan active state are considered dynamic reconfiguration operations. Dynamicreconfiguration operations take effect immediately.

Add Virtual CPUs This subcommand adds the specified number of virtual CPUs to the logical domain.

Where:

■ number is the number of virtual CPUs to be added to the logical domain.

■ ldom specifies the logical domain where the virtual CPUs are to be added.

Set Virtual CPUs This subcommand specifies the number of virtual CPUs to be set in a logicaldomain.

Where:

■ number is the number of virtual CPUs to be set in a logical domain.

■ ldom is the logical domain where the number of virtual CPUs are to be set.

Remove VirtualCPUs

This subcommand removes the specified number of virtual CPUs in the logicaldomain.

Where:

■ number is the number of virtual CPUs to be removed from the logical domain.

■ ldom specifies the logical domain where the virtual CPUs are to be removed.

ldm add-vcpu number ldom

ldm set-vcpu number ldom

ldm rm-vcpu number ldom


ldm(1M)

Add ModularArithmetic Units

This subcommand specifies the number of modular arithmetic units (mau), orcryptographic units, to be added to a logical domain.

Where:

■ number is the number of mau units to be added to the logical domain.

■ ldom specifies the logical domain where the mau units are to be added.

Set ModularArithmetic Units

This subcommand specifies the number of modular arithmetic units (mau) to be setin the logical domain.

Where:

■ number is the number of mau units to be set in the logical domain.

■ ldom specifies the logical domain where the number of mau units are to be set.

Remove ModularArithmetic Units

This subcommand removes the specified number of modular arithmetic units (mau)from a logical domain.

Where:

■ number is the number of mau units to be removed from the logical domain.

■ ldom specifies the logical domain where the mau units are to be removed.

Add Memory This subcommand adds the specified quantity of memory to a logical domain.

Where:

■ size is the size of memory to be added to a logical domain.

■ unit (optional) is the unit of measurement. The default is bytes. If you want adifferent unit of measurement, specify one of the following (the unit is notcase-sensitive).

■ ldom specifies the logical domain where the memory is to be added.

ldm add-mau number ldom

ldm set-mau number ldom

ldm rm-mau number ldom

ldm add-mem size[unit] ldom

G gigabytes

K kilobytes

M megabytes


ldm(1M)

Set Memory This subcommand sets a specific quantity of memory in a logical domain.

Where:

■ size is the size of memory to be set in the logical domain.


■ ldom specifies the logical domain where the memory is to be modified.

Remove Memory This subcommand removes the specified quantity of memory from a logicaldomain.

Where:

■ size is the size of memory to be removed from the logical domain.


■ ldom specifies the logical domain where memory is to be removed.

Remove DelayedReconfiguration

Operations

This subcommand in this example removes, or cancels, delayed reconfigurationoperations for a logical domain.

ldm set-mem size[unit] ldom

G gigabytes

K kilobytes

M megabytes

ldm rm-mem size[unit] ldom

G gigabytes

K kilobytes

M megabytes

ldm rm-reconf ldom


ldm(1M)

INPUT/OUTPUTDEVICES

Add Input/OutputDevice

This subcommand in this example adds a PCI bus to a specified logical domain.

Where:

■ bypass=on option turns on the I/O MMU bypass mode. This bypass modeshould be enabled only if the respective I/O domain and I/O devices within thatI/O domain are trusted by all guest domains.

Caution – By default, Logical Domains software controls PCI-E transactions so thata given I/O device or PCI-E option can only access the physical memory assignedwithin the I/O domain. Any attempt to access memory of another guest domain isprevented by the I/O MMU. This provides a higher level of security between theI/O domain and all other domains. However, in the rare case where a PCI-E orPCI-X option card does not load or operate with the I/O MMU bypass mode off,this option allows you to turn the I/O MMU bypass mode on. However, if you turnthe bypass mode on, there no longer is a hardware-enforced protection of memoryaccesses from the I/O domain.

■ bus is the requested PCI bus; for example, pci@780 or pci@7c0.

■ ldom specifies the logical domain where the PCI bus is to be added.

RemoveInput/Output Device

This subcommand in this example removes a PCI bus from a specified logicaldomain.

Where:

■ bus is the requested PCI bus; for example, pci@780 or pci@7c0.

■ ldom specifies the logical domain where the PCI bus is to be removed.

VIRTUALNETWORK -

SERVICE

Add a Virtual Switch This subcommand adds a virtual switch to a specified logical domain.

ldm add-io [bypass=on] bus ldom

ldm rm-io bus ldom

ldm add-vsw [mac-addr=num] [net-dev=device] vswitch_name ldom


ldm(1M)

Where:

■ num is the MAC address to be used by this switch. The number must be instandard octet notation; for example, 80:00:33:55:22:66. If you do not specify aMAC address, the switch is automatically assigned an address from the range ofpublic MAC addresses allocated to the Logical Domains Manager.

■ device is the path to the network device over which this switch operates.

■ vswitch_name is the unique name of the switch that is to be exported as a service.Clients (network) can attach to this service.

■ ldom specifies the logical domain in which to add a virtual switch.

Set a Virtual Switch This subcommand modifies the properties of a virtual switch that has already beenadded.

Where:

■ num is the MAC address used by the switch. The number must be in standardoctet notation; for example, 80:00:33:55:22:66.

■ device is the path to the network device over which this switch operates.

■ vswitch_name is the unique name of the switch that is to exported as a service.Clients (network) can be attached to this service.

Remove a VirtualSwitch

This subcommand removes a virtual switch.

Where:

■ -f attempts to force the removal of a virtual switch. The removal might fail.

■ vswitch_name is the name of the switch that is to be removed as a service.

VIRTUALNETWORK -

CLIENT

Add a VirtualNetwork Device

This subcommand adds a virtual network device to the specified logical domain.

Where:

■ num is the MAC address for this network device. The number must be instandard octet notation; for example, 80:00:33:55:22:66.

ldm set-vsw [mac-addr=num] [net-dev=device] vswitch_name

ldm rm-vsw [-f] vswitch_name

ldm add-vnet [mac-addr=num] if_name vswitch_name ldom


ldm(1M)

■ if_name, interface name, is a unique name to the logical domain, assigned to thisvirtual network device instance for reference on subsequent set-vnet orrm-vnet subcommands.

■ vswitch_name is the name of an existing network service (virtual switch) to whichto connect.

■ ldom specifies the logical domain to which to add the virtual network device.

Set a Virtual NetworkDevice

This subcommand sets a virtual network device in the specified logical domain.

Where:

■ num is the MAC address for this network device. The number must be instandard octet notation; for example, 80:00:33:55:22:66.

■ vswitch_name is the name of an existing network service (virtual switch) to whichthe network device is connected.

■ if_name, interface name, is the unique name assigned to the virtual networkdevice you want to set.

■ ldom specifies the logical domain in which to modify the virtual network device.

Remove a VirtualNetwork Device

This subcommand removes a virtual network device from the specified logicaldomain.

Where:

■ -f attempts to force the removal of a virtual network device from a logicaldomain. The removal might fail.

■ if_name, interface name, is the unique name assigned to the virtual networkdevice you want to remove.

■ ldom specifies the logical domain from which to remove the virtual networkdevice.

VIRTUAL DISK -SERVICE

Add a Virtual DiskServer

This subcommand adds a virtual disk server to the specified logical domain.

ldm set-vnet [mac-addr=num] [vswitch_name] if_name ldom

ldm rm-vnet [-f] if_name ldom

ldm add-vds service_name ldom


ldm(1M)

Where:

■ service_name is the service name for this instance of the virtual disk server. Theservice_name must be unique among all virtual disk server instances on theserver.

■ ldom specifies the logical domain in which to add the virtual disk server.

Remove a VirtualDisk Server

This subcommand removes a virtual disk server.

Where:

■ -f attempts to force the removal of a virtual disk server. The removal might fail.

■ service_name is the unique service name for this instance of the virtual diskserver.

Caution – The -f option attempts to unbind all clients before removal, and couldcause loss of disk data if writes are in progress.

Add a Device to aVirtual Disk Server

This subcommand adds a device to a virtual disk server. The device can be an entiredisk, a slice on a disk, a file, or a disk volume.

Where:

■ file|device is the path name of either the actual physical device or the actual fileexported as a block device. When adding a device, the volume_name must bepaired with the file|device.

■ volume_name is a unique name you must specify for the device being added tothe virtual disk server. The volume_name must be unique for this virtual diskserver instance, because this name is exported by this virtual disk server to theclients for adding. When adding a device, the volume_name must be paired withthe file|device.

■ server_name is the name of the virtual disk server to which to add this device.

Remove a DeviceFrom a Virtual Disk

Server

This subcommand removes a device from a virtual disk server.

ldm rm-vds [-f] service_name

ldm add-vdsdev file|device volume_name@service_name

ldm rm-vdsdev [-f] volume_name@vds_name


ldm(1M)

Where:

■ -f attempts to force the removal of the virtual disk server device. The removalmight fail.

■ volume_name is the unique name for the device being removed from the virtualdisk server.

■ vds_name is the name of the virtual disk server from which to remove this device.

Caution – Without the -f option, the rm-vdsdev subcommand does not allow avirtual disk server device to be removed if the device is busy. Using the -f optioncan cause data loss for open files.

VIRTUAL DISK -CLIENT

Add a Virtual Disk This subcommand adds a virtual disk to the specified logical domain.

Where:

■ disk-name is the name of the virtual disk.

■ volume_name is the name of the existing virtual disk server device to which toconnect.

■ service_name is the name of the existing virtual disk server to which to connect.

■ ldom specifies the logical domain in which to add the virtual disk.

Remove a VirtualDisk

This subcommand removes a virtual disk from the specified logical domain.

Where:

■ -f attempts to force the removal of the virtual disk. The removal might fail.

■ disk_name is the name of the virtual disk to be removed.

■ ldom specifies the logical domain from which to remove the virtual disk.

ldm add-vdisk disk_name volume_name@service_name ldom

ldm rm-vdisk [-f] disk_name ldom


ldm(1M)

VIRTUAL DATAPLANE

CHANNEL -SERVICE

Add a Virtual DataPlane Channel

Service

This subcommand adds a virtual data plane channel service to the specified logicaldomain. This subcommand should only be used in a Netra Data Plane Software(NDPS) environment.

Where:

■ vdpcs_service_name is the name of the virtual data plane channel service that is tobe added.

■ ldom specifies the logical domain to which to add the virtual data plane channelservice.

Remove a VirtualData Plane Channel

Service

This subcommand removes a virtual data plane channel service. This subcommandshould only be used in a Netra Data Plane Software (NDPS) environment.

Where:

■ vdpcs_service_name is the name of the virtual data plane channel service that is tobe removed.

VIRTUAL DATAPLANE

CHANNEL -CLIENT

Add a Virtual DataPlane Channel Client

This subcommand adds a virtual data plane channel client to the specified logicaldomain. This subcommand should only be used in a Netra Data Plane Software(NDPS) environment.

Where:

■ vdpcc_name is the unique name of the virtual data plane channel service client.

■ vdpcs_service_name is the name of the virtual data plane channel service to whichto connect this client.

■ ldom specifies the logical domain to which to add the virtual data plane channelclient.

ldm add-vdpcs vdpcs_service_name ldom

ldm rm-vdpcs vdpcs_service_name

ldm add-vdpcc vdpcc_name vdpcs_service_name ldom


ldm(1M)

Remove a VirtualData Plane Channel

Client

This subcommand removes a virtual data plane channel client from the specifiedlogical domain. This subcommand should only be used in a Netra Data PlaneSoftware (NDPS) environment.

Where:

■ vdpcc_name is the unique name assigned to the virtual data plane channel clientthat is to be removed.

■ ldom specifies the logical domain from which to remove the virtual data planechannel client.

VIRTUALCONSOLE

Add a VirtualConsole Concentrator

This subcommand adds a virtual console concentrator to the specified logicaldomain.

Where:

■ x-y is the range of TCP ports to be used by the virtual console concentrator forconsole connections.

■ vcc_name is the name of the virtual console concentrator that is to be added.

■ ldom specifies the logical domain to which to add the virtual consoleconcentrator.

Set a Virtual ConsoleConcentrator

This subcommand sets a specific virtual console concentrator.

Where:

■ x-y is the range of TCP ports to be used by the virtual console concentrator forconsole connections. Any modified port range must be a superset of the previousrange.

■ vcc_name is the name of the virtual console concentrator that is to be set.

Remove a VirtualConsole Concentrator

This subcommand removes a virtual console concentrator from the specified logicaldomain.

ldm rm-vdpcc vdpcc_name ldom

ldm add-vcc port-range=x-y vcc_name ldom

ldm set-vcc port-range=x-y vcc_name

ldm rm-vcc [-f] vcc_name


ldm(1M)

Where:

■ -f attempts to force the removal of the virtual console concentrator. The removalmight fail.

■ vcc_name is the name of the virtual console concentrator that is to be removed.

Caution – The -f option attempts to unbind all clients before removal, and couldcause loss of data if writes are in progress.

Set a Virtual Console This subcommand sets the attached console’s service or group in the specifiedlogical domain.

Where:

■ group is the new group to which to attach this console. The group argumentallows multiple consoles to be multiplexed onto the same TCP connection. Referto the Solaris OS vntsd(1M) man page for more information about this concept.

■ vcc_name is the name you specify for the new existing virtual consoleconcentrator to handle the console connection.

■ ldom specifies the logical domain in which to set the virtual console concentrator.

VARIABLES

Add Variable This subcommand adds a variable for a logical domain.

Where:

■ var_name=value is the name and value pair of the variable to add.

■ ldom specifies the logical domain in which to add the variable.

Set Variable This subcommand sets a variable for a logical domain.

Where:

■ var_name=value is the name and value pair of the variable to set.

■ ldom specifies the logical domain in which to set the variable.

Note – Leaving var_name blank, sets var_name to NULL.

ldm set-vcons [group@]vcc_name ldom

ldm add-var var_name=value ldom

ldm set-var var_name=value ldom


ldm(1M)

Remove Variable This subcommand removes a variable for a logical domain.

Where:

■ var_name is the name of the variable to remove.

■ ldom specifies the logical domain from which to remove the variable.

OPERATIONS

Start LogicalDomains

This subcommand starts one or more logical domains.

Where:

■ -a means start all bound logical domains.

■ -i file specifies an XML configuration file to use in starting the logical domain.

■ ldom... specifies one or more logical domains to start.

Stop LogicalDomains

This subcommand stops one or more running logical domains.

Where:

■ -f option attempts to force a running logical domain to stop.

■ -a option means stop all running logical domains except the control domain.

■ ldom... specifies one or more running logical domains to stop.

Provide HelpInformation

This subcommand provides usage for all subcommands or the subcommand thatyou specify. You can also use the ldm command alone to provide usage for allsubcommands.

Provide VersionInformation

This subcommand provides version information.

Bind Resources to aLogical Domain

This subcommand binds, or attaches, configured resources to a logical domain.

ldm rm-var var_name ldom

ldm start-dom (-a | -i file | ldom...)

ldm stop-dom [-f] (-a | ldom...)

ldm --help [subcommand]

ldm (--version | -V)

ldm bind-dom (-i file | ldom)


ldm(1M)

Where:

■ -i file specifies an XML configuration file to use in binding the logical domain.

■ ldom specifies the logical domain to which to bind resources.

Unbind ResourcesFrom a Logical

Domain

This subcommand releases resources bound to configured logical domains.

Where:

■ ldom specifies the logical domain from which to unbind resources.

LOGICALDOMAIN

CONFIGURA-TIONS

Add Logical DomainConfiguration

This subcommand adds a logical domain configuration. The configuration is storedon the system controller (SC).

Where:

■ config_name is the name of the logical domain configuration to add.

Set Logical DomainConfiguration

This subcommand enables you to specify a logical domain configuration to use. Theconfiguration is stored on the system controller (SC).

Where:

■ config_name is the name of the logical domain configuration to use.

The default configuration name is factory-default. To specify the defaultconfiguration, use the following:

Remove LogicalDomain

Configuration

This subcommand removes a logical domain configuration. The configuration isstored on the system controller (SC).

ldm unbind-dom ldom

ldm add-config config_name

ldm set-config config_name

ldm set-config factory-default

ldm rm-config config_name


ldm(1M)

Where:

■ config_name is the name of the logical domain configuration to remove.

LISTS

List Logical Domainsand States

This subcommand lists logical domains and their states. If you do not specify alogical domain, all logical domains are listed.

Where:

■ -l means to generate a long listing.

■ -p means generate the list in a parseable, machine-readable format.

■ ldom... is the name one or more logical domains for which to list stateinformation.

List Bindings forLogical Domains

This subcommand lists bindings for logical domains. If no logical domains arespecified, all logical domains are listed.

Where:

■ ldom... is the name of one or more logical domains for which you want bindinginformation.

List Services forLogical Domains

This subcommand lists all the services exported by logical domains. If no logicaldomains are specified, all logical domains are listed.

Where:

■ ldom... is the name of one or more logical domains for which you want servicesinformation.

List Constraints forLogical Domains

This subcommand lists the constraints for the creation of one or more logicaldomains. If the -x option is specified, only the one specified logical domain islisted. If you specific nothing after the subcommand, all logical domains are listed.

Where:

■ -x means write the constraint output in XML format to the named logicaldomain. This can be used as a backup.

■ -p means write the constraint output in a parseable, machine-readable form.

ldm ls-dom [-l] [-p] [ldom...]

ldm ls-bindings [ldom...]

ldm ls-services [ldom...]

ldm ls-constraints (-x ldom) | ([-p] [ldom...])


ldm(1M)

■ ldom... is the name of one or more logical domains for which you want to listconstraints.

List Devices This subcommand lists free (unbound) resources or all server resources. The defaultis to list all free resources.

Where:

■ -a lists all server resources, bound and unbound.

■ cpu lists only CPU resources.

■ mau lists only the modular arithmetic unit resources.

■ memory lists only memory resources.

■ io lists only input/output resources, such as a PCI bus or a network.

List Logical DomainConfigurations

This subcommand lists the logical domain configurations stored on the systemcontroller.

List Variables This subcommand lists one or more variables for a logical domain.

Where:

■ var_name... is the name of one or more variables to list.

■ ldom... is the name of one or more logical domains for which to list one or morevariables.

EXAMPLES EXAMPLE 1 Create Default Services

Set up the three default services, virtual disk server, virtual switch, and virtualconsole concentrator, so that you can export those services to the guest domains.

ldm ls-devices [-a] [cpu| mau| memory| io]

ldm ls-config

ldm ls-var var_name... [ldom...]

# ldm add-vds primary-vds0 primary# ldm add-vsw net-dev=e1000g0 primary-vsw0 primary# ldm add-vcc port-range=5000-5100 primary-vcc0 primary


ldm(1M)

EXAMPLE 2 List Services

You can list services to ensure they have been created correctly or to see whatservices you have available.

EXAMPLE 3 Set Up the Control Domain Initially

The control domain, named primary, is the initial domain that is present when youinstall the Logical Domains Manager. The control domain has a full complement ofresources, and those resources depend on what server you have. Set only thoseresources you want the control domain to keep, so that you can allocate theremaining resources to the guest domains. Then you can save the configuration onthe system controller.

You must reboot so the changes take place. Until this first reboot, the LogicalDomains Manager is running in configuration mode. See CPU AND MEMORY(Reconfiguration Operations) for more details about the configuration mode.

If you want to enable networking between the control domain and the otherdomains, you must plumb the virtual switch on the control domain. You mustenable the virtual network terminal server daemon, vntsd(1M), to use consoles onthe guest domains.

#ldm ls-services primary...Vds: primary-vds0Vcc: primary-vcc0


mac-addr=0:14:4f:f9:68:d0net-dev=e1000g0mode=prog,promisc

# ldm set-mau 1 primary# ldm set-vcpu 4 primary# ldm set-mem 1G primary# ldm add-config initial# shutdown -y -g0 -i6# ifconfig -a# ifconfig vsw0 plumb# ifconfig e1000g0 down unplumb# ifconfig vsw0 IP_of_e1000g0 netmask netmask_of_e1000g0 broadcast + up# svcadm enable vntsd


ldm(1M)

EXAMPLE 4 List Bindings

You can list bindings to see if the control domain has the resources you specified, orwhat resources are bound to any domain.

EXAMPLE 5 Create a Logical Domain

Ensure you have the resources to create the desired guest domain configuration,add the guest domain, add the resources and devices you want the domain to have,set boot parameters to tell the system how to behave on startup, bind the resourcesto the domain, and save the guest domain configuration in an XML file for backup.You also might want to save the primary and guest domain configurations on theSC. Then you can start the domain, find the TCP port of the domain, and connect toit through the default virtual console service.

# ldm ls-bindings primary---------------------------------------------------------------------Name: primaryState: activeFlags: transition,control,vio serviceOS:Util: 12%Uptime: 11mVcpu: 4

vid pid util strand0 0 18% 100%1 1 13% 100%2 2 9.8% 100%3 3 5.4% 100%

Mau: 1Memory: 4G


Vars: reboot-command=bootIO: pci@780 (bus_a)

pci@7c0 (bus_b)......


ldm(1M)

EXAMPLE 6 Use One Terminal for Many Guest Domains

Normally, each guest domain you create has its own TCP port and console. Onceyou have created the first guest domain (ldg1 in this example) and bound it, thenyou can use the ldm set-vcons command after you bind each of the other guestdomains (second domain is ldg2 in this example) to attach all the domains to thesame console port.

If you do the ldm ls -l command after performing the set-vcons commands onall guest domains but the first, you can see that all domains are connected to thesame port. Refer to the Solaris 10 OS vntsd(1M) man page for more informationabout using consoles.

EXAMPLE 7 Add a Virtual PCI Bus to a Logical Domain

I/O domains are a type of service domain that have direct ownership of and directaccess to physical I/O devices. The I/O domain then provides the service to theguest domain in the form of a virtual I/O device. This example shows how to adda virtual PCI bus to a logical domain.

EXAMPLE 8 Add Virtual Data Plane Channel Functionality for Netra Only

If your server has a Netra Data Plane Software (NDPS) environment, you mightwant to add virtual data plane channel functionality. First, you would add a virtualdata plane channel service (primary-vdpcs0 for example) to the service domain;in this case, the primary domain.

# ldm ls-devices# ldm add-dom ldg1# ldm add-vcpu 4 ldg1# ldm add-mem 512m ldg1# ldm add-vnet vnet1 primary-vsw0 ldg1# ldm add-vdsdev /dev/dsk/c0t1d0s2 vol1@primary-vds0# ldm add-vdisk vdisk1 vol1@primary-vds0 ldg1# ldm set-var auto-boot\?=false ldg1# ldm set-var boot-device=vdisk ldg1# ldm bind-dom ldg1# ldm ls-constraints -x ldg1 > ldg1.xml# ldm add-config ldg1_4cpu_512M# ldm start-dom ldg1# ldm ls -l ldg1# telnet localhost 5000

# ldm set-vcons ldg1@primary-vcc0 ldg2

# ldm add-io pci@7c0 ldg1

# ldm add-vdpcs primary-vdpcs0 primary


ldm(1M)

Now that you have added the service to the service domain (primary), you canadd the virtual data plane channel client (vdpcc1) to a guest domain (ldg1).

EXAMPLE 9 Cancel Delayed Reconfiguration Operations for a Domain

A delayed reconfiguration operation blocks configuration operations on all otherdomains. There might be times when you want to cancel delayed configurationoperations for one domain; for example, so you can perform other configurationcommands on that domain or other domains. For another example, you might haveattempted to add some memory to a domain (ldg1) and the Logical DomainsManager invoked delayed reconfiguration because the domain was not stopped.With this command, you can undo the delayed reconfiguration operation, stop thedomain, and add memory again.

ATTRIBUTES Refer to the Solaris OS attributes(5) man page for a description of the followingattributes:

REFER ALSO Refer also to the Solaris OS vntsd(1M) man page, the Beginners Guide for LDoms:Understanding and Deploying Logical Domains, and the Logical Domains (LDoms) 1.0Administration Guide.

# add-vdpcc vdpcc1 primary-vdpcs0 ldg1

# ldm rm-reconf ldg1

Attribute Types Attribute Values

Availability SUNWldm

Interface Stability Uncommitted


Glossary

This list defines terminology, abbreviations, and acronyms in the Logical Domains1.0 documentation.

AALOM CMT Advanced Lights Out Manager Chip Multithreading, which runs on the system

controller and allows you to monitor and control your CMT server.

Bbge Broadcom Gigabit Ethernet driver on Broadcom BCM57xx devices

BSM Basic Security Module

CCLI command-line interface

config name of logical domain configuration saved on the system controller

CMT Chip Multithreading

127

constraints To the Logical Domains Manager, constraints are one or more resourcesyou want to have assigned to a particular domain. You either receive allthe resources you ask to be added to a domain or you get none of them,depending upon the available resources.

control domain domain that creates and manages other logical domains and services

CPU central processing unit

DDHCP Dynamic Host Configuration Protocol

DMP Dynamic Multipathing (Veritas)

DR dynamic reconfiguration

drd(1M) dynamic reconfiguration daemon for Logical Domains Manager (Solaris 10 OS)

Ee1000g driver for Intel PRO/1000 Gigabit family of network interface controllers

EFI Extensible Firmware Interface

FFMA Fault Management Architecture

fmd(1M) fault management daemon (Solaris 10 OS)

FTP File Transfer Protocol


Gguest domain Uses services from the I/O and service domains and is managed by the control

domain.

GLDv3 Generic LAN Driver version 3.

HHDD hard disk drive

hypervisor firmware layer interposed between the operating system and the hardwarelayer

Iio I/O devices, such as internal disks and PCI-Express (PCI-E) controllers

and their attached adapters and devices

I/O domain domain that has direct ownership of and direct access to physical I/O devicesand that shares those devices to other logical domains in the form of virtualdevices.

ioctl input/output control call

IP Internet Protocol

IPMP Internet Protocol Network Multipathing

Kkaio kernel asynchronous input/output

KB kilobyte

KU kernel update

Glossary 129

LLAN local-area network

LDAP Lightweight Directory Access Protocol

LDC logical domain channel

ldm(1M) Logical Domain Manager utility

ldmd Logical Domains Manager daemon

logical domain discrete logical grouping with its own operating system, resources, andidentity within a single computer system

Logical Domains(LDoms) Manager provides a CLI to create and manage logical domains and allocate resources to

domains

MMAC media access control address, which LDoms can automatically assign or you

can assign manually

mau modular arithmetic unit, the cryptographic device for supported servers

MB megabyte

MD machine description in the server database

mem, memory memory unit - default size in bytes, or specify gigabytes (G), kilobytes (K),or megabytes (M). Virtualized memory of the server that can be allocated toguest domains.

MMF multimode fiber

MMU memory management unit

mtu maximum transmission unit


NNAT Network Address Translation

NDPS Netra Data Plane Software

ndpsldcc Netra Data Plane Software Logical Domain Channel Client. See also vdpcc.

ndpsldcs Netra Data Plane Software Logical Domain Channel Service. See also vdpcs.

NFS Network File System

NIS Network Information Services

NTS network terminal server

NVRAM non-volatile random-access memory

nxge driver for Sun x8 Express 1/10G Ethernet Adapter

OOS operating system

PPCI peripheral component interconnect bus

PCI-E PCI Express bus

PCI-X PCI Extended bus

RRAID Redundant Array of Inexpensive Disks

RBAC Role-Based Access Control

Glossary 131

RPC Remote Procedure Call

SSC system controller, same as system processor

SCSI Small Computer System Interface

service domain logical domain that provides devices, such as virtual switches, virtual consoleconnectors, and virtual disk servers to other logical domains

SMA System Management Agent

SMF Service Management Facility of Solaris 10 OS

SNMP Simple Network Management Protocol

SP system processor, same as system controller

SSH Secure Shell

ssh(1) Secure Shell command

sshd(1M) Secure Shell daemon

SunVTS Sun Validation Test Suite

SVM Solaris Volume Manager

TTCP Transmission Control Protocol

UUDP User Diagram Protocol

USB Universal Serial Bus


VvBSC Virtual Blade System Controller

vcc, vconscon virtual console concentrator service with a specific port range to assign tothe guest domains

vcons, vconsole virtual console for accessing system level messages. A connection isachieved by connecting to vconscon service in the control domain at aspecific port.

vcpu virtual central processing unit. Each of the cores of a server are representedas virtual CPUs. For example, an 8-core Sun Fire T2000 Server has 32virtual CPUs that can be allocated between the logical domains.

vdpcc virtual data plane channel client in an NDPS environment

vdpcs virtual data plane channel service in an NDPS environment

vdisk virtual disks are generic block devices backed by different types of physicaldevices, volumes, or files.

vds, vdiskserver virtual disk server allows you to import virtual disks into a logical domain.

vdsdev,vdiskserverdevice virtual disk server device is exported by the virtual disk server. The device can

be an entire disk, a slice on a disk, a file, or a disk volume.

vnet virtual network device implements a virtual Ethernet device andcommunicates with other vnet devices in the system using the virtualnetwork switch (vswitch).

vntsd(1M) virtual network terminal server daemon for Logical Domains consoles (Solaris10 OS)

vsw, vswitch virtual network switch that connects the virtual network devices to theexternal network and also switches packets between them.

VTOC volume table of contents

VxVM Veritas Volume Manager

WWAN wide-area network

Glossary 133

XXML Extensible Markup Language

ZZFS Zettabyte File System (Solaris 10 OS)

zpool ZFS storage pool


LDom Admin guide

Documents

device pci 7c0 pci 0 pci 1 pci 0

nvramrc devalias vnet0 virtual

dev e1000g0 mode prog

dans dautres pays

rotate audit logs

sparc enterprise t1000

grep version version

delayed reconfiguration operation